CVE-2016-9554 - Vulnerability Details

Vendors	Products
Sophos	Web Appliance

Link	Providers
http://pastebin.com/UB8Ye6ZU
http://www.securityfocus.com/bid/95858
https://community.sophos.com/products/web-appliance/b/blog/posts/release-of-swa-version-4-3-1

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-01-28T00:00:00", "descriptions": [{"lang": "en", "value": "The Sophos Web Appliance Remote / Secure Web Gateway server (version 4.2.1.3) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface. These vulnerabilities occur in MgrDiagnosticTools.php (/controllers/MgrDiagnosticTools.php), in the component responsible for performing diagnostic tests with the UNIX wget utility. The application doesn't properly escape the information passed in the 'url' variable before calling the executeCommand class function ($this->dtObj->executeCommand). This function calls exec() with unsanitized user input allowing for remote command injection. The page that contains the vulnerabilities, /controllers/MgrDiagnosticTools.php, is accessed by a built-in command answered by the administrative interface. The command that calls to that vulnerable page (passed in the 'section' parameter) is: 'configuration'. Exploitation of this vulnerability yields shell access to the remote machine under the 'spiderman' user account."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-02-23T01:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "95858", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/95858"}, {"tags": ["x_refsource_MISC"], "url": "http://pastebin.com/UB8Ye6ZU"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://community.sophos.com/products/web-appliance/b/blog/posts/release-of-swa-version-4-3-1"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2016-9554", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Sophos Web Appliance Remote / Secure Web Gateway server (version 4.2.1.3) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface. These vulnerabilities occur in MgrDiagnosticTools.php (/controllers/MgrDiagnosticTools.php), in the component responsible for performing diagnostic tests with the UNIX wget utility. The application doesn't properly escape the information passed in the 'url' variable before calling the executeCommand class function ($this->dtObj->executeCommand). This function calls exec() with unsanitized user input allowing for remote command injection. The page that contains the vulnerabilities, /controllers/MgrDiagnosticTools.php, is accessed by a built-in command answered by the administrative interface. The command that calls to that vulnerable page (passed in the 'section' parameter) is: 'configuration'. Exploitation of this vulnerability yields shell access to the remote machine under the 'spiderman' user account."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "95858", "refsource": "BID", "url": "http://www.securityfocus.com/bid/95858"}, {"name": "http://pastebin.com/UB8Ye6ZU", "refsource": "MISC", "url": "http://pastebin.com/UB8Ye6ZU"}, {"name": "https://community.sophos.com/products/web-appliance/b/blog/posts/release-of-swa-version-4-3-1", "refsource": "CONFIRM", "url": "https://community.sophos.com/products/web-appliance/b/blog/posts/release-of-swa-version-4-3-1"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T02:50:38.595Z"}, "title": "CVE Program Container", "references": [{"name": "95858", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/95858"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://pastebin.com/UB8Ye6ZU"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://community.sophos.com/products/web-appliance/b/blog/posts/release-of-swa-version-4-3-1"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2016-9554", "datePublished": "2017-01-28T12:38:00", "dateReserved": "2016-11-22T00:00:00", "dateUpdated": "2024-08-06T02:50:38.595Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sophos:web_appliance:4.2.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "D0F4F4AA-F2D3-4054-A293-E12C03C3B679", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Sophos Web Appliance Remote / Secure Web Gateway server (version 4.2.1.3) is vulnerable to a Remote Command Injection vulnerability in its web administrative interface. These vulnerabilities occur in MgrDiagnosticTools.php (/controllers/MgrDiagnosticTools.php), in the component responsible for performing diagnostic tests with the UNIX wget utility. The application doesn't properly escape the information passed in the 'url' variable before calling the executeCommand class function ($this->dtObj->executeCommand). This function calls exec() with unsanitized user input allowing for remote command injection. The page that contains the vulnerabilities, /controllers/MgrDiagnosticTools.php, is accessed by a built-in command answered by the administrative interface. The command that calls to that vulnerable page (passed in the 'section' parameter) is: 'configuration'. Exploitation of this vulnerability yields shell access to the remote machine under the 'spiderman' user account."}, {"lang": "es", "value": "La Sophos Web Appliance Remote / Secure Web Gateway server (versi\u00f3n 4.2.1.3) es vulnerable a una vulnerabilidad de inyecci\u00f3n de comandos remotos en su interfaz web administrativa. Estas vulnerabilidades ocurren en MgrDiagnosticTools.php (/controllers/MgrDiagnosticTools.php), en el componente responsable de realizar test diagn\u00f3sticos con la utilidad wget de UNIX. La aplicaci\u00f3n no escapa adecuadamente la informaci\u00f3n pasada en la variable 'url' antes de llamar a la funci\u00f3n de la clase executeCommand ($this->dtObj->executeCommand). Esta funci\u00f3n llama a exec() con entrada de usuario no desinfectada permitiendo inyecci\u00f3n remota de comandos. A la p\u00e1gina que contiene las vulnerabilidades, /controllers/MgrDiagnosticTools.php, se accede mediante un comando incorporado que responde a la interfaz administrativa. El comando que llama a la p\u00e1gina vulnerable (pasado en el par\u00e1metro 'section') es: 'configuration'. La explotaci\u00f3n de esta vulnerabilidad da acceso shell a la m\u00e1quina remota bajo la cuenta de usuario 'spiderman'."}], "id": "CVE-2016-9554", "lastModified": "2024-11-21T03:01:22.310", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-01-28T12:59:00.180", "references": [{"source": "cve@mitre.org", "tags": ["Exploit"], "url": "http://pastebin.com/UB8Ye6ZU"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/95858"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://community.sophos.com/products/web-appliance/b/blog/posts/release-of-swa-version-4-3-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit"], "url": "http://pastebin.com/UB8Ye6ZU"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/95858"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://community.sophos.com/products/web-appliance/b/blog/posts/release-of-swa-version-4-3-1"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "nvd@nist.gov", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object