.svg)
.svg)
The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
On November 16, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) added Sophos Web Appliance CVE-2023-1671 Command Injection vulnerability into the Known Exploited Vulnerabilities (KEV) catalog [1]. Although it was disclosed in April 2023, CVE-2023-1671 is actively being exploited in the wild. CVE-2023-1671 vulnerability has a CVSS score of a CVSS score of 9.8 (Critical).
In this blog, we explained the Sophos CVE-2023-1671 vulnerability and how organizations can defend against the CVE-2023-1671 exploitation attacks.
Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform
Sophos Web Appliance CVE-2023-1671 Explained
Sophos Web Appliance (SWA) is used by organizations to filter incoming web traffic to protect against web-based threats. It is often used for content filtering, threat protection, and data loss prevention (DLP). Sophos Web Appliance is placed at the network perimeter or specified network segments where web traffic can be analyzed and filtered.
In April 2023, Sophos disclosed a pre-auth command injection vulnerability affecting Sophos Web Appliance. This vulnerability allows adversaries to execute arbitrary commands and does not require authentication. CVE-2023-1671 affects Sophos Web Appliance prior to version 4.3.10.4. SWA receives updates automatically by default, and Sophos released a fix at the time of disclosure. Although SWA has an auto-update feature and the product became End-of-Life on July 20, 2023, adversaries are still exploiting vulnerable SWA in the wild. Organizations are advised to fix their vulnerable SWA and keep the device behind a firewall, making it inaccessible via the public internet.
How Sophos Web Appliance CVE-2023-1671 Exploit Works?
Sophos CVE-2023-1671 vulnerability stems from a vulnerable component named warn-proceed handler. The weakness is classified as CWE-77 and allows adversaries to manipulate input for pre-authenticated command injection. User inputs sent through "/index.php?c=blocked" using an HTTP POST request are routed to UsrBlocked.php and processed by escapeshellarg function [2].
|
if($_GET['action'] == 'continue') { |
Code section where UsrBlocked.php handles user inputs
When an attacker sends a base-64 encoded command via a POST request, it is injected into ftsblistpack. Since the input is wrapped in single quotes, attackers can manipulate the input and execute commands remotely.
|
open my $flag, ">", "$flag_file_dir/$proceeded_flag_file" or die "Open file [$flag_file_dir/$proceeded_flag_file] failed" and $rc++; |
The system function in the ftsblistpack Perl script before the patch
An example payload is given below. It executes a reverse shell connection to the test machine.
|
— Base-64 encoded POST /index.php?c=blocked&action=continue HTTP/1.1 — Base-64 decoded POST /index.php?c=blocked&action=continue HTTP/1.1 |
How Picus Helps Simulate Sophos CVE-2023-1671 Attacks?
We also strongly suggest simulating the Sophos CVE-2023-1671 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as Log4Shell, Looney Tunables, and ProxyShell, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Sophos CVE-2023-1671 vulnerability exploitation attacks:
|
Threat ID |
Threat Name |
Attack Module |
|
34756 |
Sophos Web Appliance Web Attack Campaign |
Web Application |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Sophos CVE-2023-1671 vulnerability and other vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Sophos CVE-2023-1671 vulnerability:
|
Security Control |
Signature ID |
Signature Name |
|
Checkpoint NGFW |
asm_dynamic_prop_CVE_2023_1671 |
Sophos Web Appliance Command Injection (CVE-2023-1671) |
|
Cisco FirePower |
1.61794.1 |
SERVER-WEBAPP Sophos Virtual Web Appliance unauthenticated command injection attempt |
|
Fortigate IPS |
52919 |
web_app3: Sophos.Web.Appliance.warn-proceed.Command.Injection |
|
Imperva SecureSphere |
CVE-2023-1671: Sophos Web Appliance Pre-Auth RCE |
|
|
McAfee |
0x452e5000 |
HTTP: Sophos Web-Appliance Pre-Authentication Command Injection Vulnerability (CVE-2023-1671) |
|
Palo Alto |
93746 |
Sophos Web Appliance Command Injection Vulnerability |
|
Snort |
1.61794.1 |
SERVER-WEBAPP Sophos Virtual Web Appliance unauthenticated command injection attempt |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Complete Security Validation Platform.
References
[1] "CISA Adds Three Known Exploited Vulnerabilities to Catalog," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/alerts/2023/11/16/cisa-adds-three-known-exploited-vulnerabilities-catalog. [Accessed: Nov. 22, 2023]
[2] "Analysis of Pre-Auth RCE in Sophos Web Appliance (CVE-2023-1671) - Blog," VulnCheck. Available: https://vulncheck.com/blog/cve-2023-1671-analysis. [Accessed: Nov. 22, 2023]
