Lucene search
Tim Schughart1337DAY-ID-25233HistoryOct 03, 2016 - 12:00 a.m.
Sophos UTM 9.405-5 / 9.404-5 Information Disclosure Vulnerability
2016-10-0300:00:00
Tim Schughart
0day.today
33
0.001 Low
EPSS
Percentile
19.8%
Sophos UTM versions 9.405-5 and 9.404-5 suffer from information disclosure vulnerabilities.
Product: Sophos UTM
Vendor: Sophos ltd.
Internal reference: ? (Bug ID)
Vulnerability type: Information Disclosure
Vulnerable version: 9.405-5, 9.404-5 and possible other versions affected (not tested)
Vulnerable component: Frontend
Report confidence: yes
Solution status: Not fixed by Vendor, no further responses from vendor.
Fixed versions: -
Researcher credits: Tim Schughart & Khanh Quoc Pham of ProSec Networks
Vendor notification: 2016-09-01
Solution date: -
Public disclosure: 2016-09-30
CVE reference: CVE-2016-7397
CVSSv3: 6.7 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
Report timeline:
2016-09-01: Contacted Vendor, vendor acknowledged, no further response
2016-09-12: Contacted Vendor again, started to fix
2016-09-30: Contacted Vendor again, because there has been no response to our request and our initial told disclosing date, no response again.
2016-09-30: Public Disclosure.
Vulnerability Details:
The password is reflected to DOM and is readable through the "value" field of the SMTP user settings in notifications tab. You have to be authenticated to access the configuration tab.
Risk:
An attacker gets access to the configured mailbox. Because of Sophos UTM is a multi user system, this is a problem in bigger company environments with splitted admin rights. The surface scope is changed, because in bigger environments you are getting access to the configured mailbox, which results in an integrity loss.
Steps to reproduce:
See vulnerability details.
--
Product: Sophos UTM
Vendor: Sophos ltd.
Internal reference: ? (Bug ID)
Vulnerability type: Information Disclosure
Vulnerable version: 9.405-5, 9.404-5 and possible other versions affected (not tested)
Vulnerable component: Frontend
Report confidence: ?
Solution status: Not fixed by Vendor
Fixed versions: -
Researcher credits: Tim Schughart & Khanh Quoc Pham of ProSec Networks
Vendor notification: 2016-09-01
Solution date: -
Public disclosure: 2016-10-01
CVE reference: CVE-2016-7442
CVSSv3: 6.7 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N
Vulnerability Details:
The password is reflected to DOM and is readable through the "value" field of the proxy user settings in the system settings / scan settings / anti spam. You have to be authenticated to access the configuration tab.
Risk:
An attacker gets access to the configured proxy user. Because of Sophos UTM is a multi user system, this is a problem in bigger company environments with splitted admin rights. The surface scope is changed, because in bigger environments you are getting access to the configured proxy user, which results in an privilege escalation.
Steps to reproduce:
See vulnerability details.
# 0day.today [2018-04-03] #Related
packetstorm
packetstorm
Sophos UTM 9.405-5 / 9.404-5 Information Disclosure
2016-09-30 00:00:00
nvd
nvd
CVE-2016-7442
2016-10-03 16:09:16
CVE-2016-7397
2016-10-03 16:09:14
cvelist
cvelist
CVE-2016-7442
2016-10-03 16:00:00
CVE-2016-7397
2016-10-03 16:00:00
prion
prion
Design/Logic Flaw
2016-10-03 16:09:00
Design/Logic Flaw
2016-10-03 16:09:00
cve
cve
CVE-2016-7442
2016-10-03 16:09:16
CVE-2016-7397
2016-10-03 16:09:14