Sophos SG UTM < 9.511 / 9.6 < 9.607 / 9.7 < 9.705 RCE (CVE-2020-25223)

2023-02-0900:00:00

www.tenable.com

A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before 9.511 MR11, 9.6 before 9.607 MR7, and 9.7 before 9.705 MR5. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands on the remote host as the root user.

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(171238);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/02/09");

  script_cve_id("CVE-2020-25223");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/04/15");

  script_name(english:"Sophos SG UTM < 9.511 / 9.6 < 9.607 / 9.7 < 9.705 RCE (CVE-2020-25223)");

  script_set_attribute(attribute:"synopsis", value:
"The Sophos SG UTM is affected by a remote code execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"A remote code execution vulnerability exists in the WebAdmin of Sophos SG UTM before 9.511 MR11, 
9.6 before 9.607 MR7, and 9.7 before 9.705 MR5. An unauthenticated, remote attacker can exploit this 
to bypass authentication and execute arbitrary commands on the remote host as the root user.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported 
version number.");
  # https://www.sophos.com/en-us/security-advisories/sophos-sa-20200918-sg-webadmin-rce
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?76b91a1f");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Sophos UTM version 9.511, 9.607, or 9.705 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-25223");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Sophos UTM WebAdmin SID Command Injection');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/09/18");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/09/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/02/09");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/o:sophos:unified_threat_management");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:sophos:unified_threat_management");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Firewalls");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("sophos_utm_detect.nbin", "sophos_utm_web_detect.nbin");
  script_require_keys("installed_sw/Sophos UTM");

  exit(0);
}

include("vcf.inc");

var app_info = vcf::combined_get_app_info(app:"Sophos UTM");

var constraints = [
  {'fixed_version': '9.511', 'fixed_display':'9.511 MR11'},  
  {'min_version': '9.600', 'fixed_version': '9.607', 'fixed_display':'9.607 MR7'},
  {'min_version': '9.700', 'fixed_version': '9.705', 'fixed_display':'9.705 MR5'}
];

vcf::check_version_and_report(
  app_info:app_info, 
  constraints:constraints, 
  severity:SECURITY_HOLE
);

VendorProductVersionCPE
sophosunified_threat_managementx-cpe:/o:sophos:unified_threat_management
sophosunified_threat_managementcpe:/a:sophos:unified_threat_management