Vulnerability Name:

CVE-2017-18014 (CCN-137408)

Assigned:2018-01-08
Published:2018-01-08
Updated:2018-02-06
Summary:An NC-25986 issue was discovered in the Logging subsystem of Sophos XG Firewall with SFOS before 17.0.3 MR3. An unauthenticated user can trigger a persistent XSS vulnerability found in the WAF log page (Control Center -> Log Viewer -> in the filter option "Web Server Protection") in the webadmin interface, and execute any action available to the webadmin of the firewall (e.g., creating a new user, enabling SSH, or adding an SSH authorized key). The WAF log page will execute the "User-Agent" parameter in the HTTP POST request.
CVSS v3 Severity:6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
6.1 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
5.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:H/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Cross-Site Scripting
References:Source: MITRE
Type: CNA
CVE-2017-18014

Source: CCN
Type: Full-Disclosure Mailing List, Mon, 8 Jan 2018 08:29:02 +0200
SSD Advisory – Sophos XG from Unauthenticated Persistent XSS to Unauthorized Root Access

Source: FULLDISC
Type: Mailing List, Third Party Advisory
20180109 SSD Advisory - Sophos XG from Unauthenticated Persistent XSS to Unauthorized Root Access

Source: MISC
Type: Exploit, Third Party Advisory
https://blogs.securiteam.com/index.php/archives/3612

Source: CONFIRM
Type: Vendor Advisory
https://community.sophos.com/kb/en-us/128024

Source: CCN
Type: Sophos Web site
Advisory: Security update for users of Web Application Firewall (WAF) in Sophos XG Firewall

Source: CONFIRM
Type: Vendor Advisory
https://community.sophos.com/products/xg-firewall/b/xg-blog/posts/sfos-17-0-3-mr3-released

Source: XF
Type: UNKNOWN
sophos-cve201718014-xss(137408)

Vulnerable Configuration:Configuration 1:
  • cpe:/o:sophos:sfos:*:*:*:*:*:*:*:* (Version <= 17.0)
  • AND
  • cpe:/h:sophos:xg_firewall:-:*:*:*:*:*:*:*

    • Configuration 2:
  • cpe:/o:sophos:sfos:17.0:mr1:*:*:*:*:*:*
  • OR cpe:/o:sophos:sfos:17.0:mr2:*:*:*:*:*:*
  • OR cpe:/o:sophos:sfos:17.0:mr3:*:*:*:*:*:*
  • AND
  • cpe:/h:sophos:xg_firewall:-:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/h:sophos:xg_firewall:-:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    sophos sfos *
    sophos xg firewall -
    sophos sfos 17.0 mr1
    sophos sfos 17.0 mr2
    sophos sfos 17.0 mr3
    sophos xg firewall -
    sophos xg firewall -