RCE vulnerability comes just weeks after the discovery of a similar flaw that was exploited by the Asnarök trojan
Security researchers investigating the impact of a patched security vulnerability in Sophos XG firewalls managed to discover a similar flaw that posed a remote code execution (RCE) risk.
German security consultancy Code White began looking at the vulnerability tracked as CVE-2020-12271, which was patched in April shortly after it was exploited to distribute the Asnarök trojan.
SQLi to RCE
Sophos initially categorized the vulnerability as principally posing an SQL injection (SQLi) risk, but that might be understating the problem.
Code White independently proved that the flaw could be used to develop an RCE attack, before going on to discover a new vulnerability with a similar impact.
“Our analysis not only resulted in a working RCE exploit for the disclosed vulnerability (CVE-2020-12271), but also led to the discovery of another SQLi, which could have been used to gain code execution (CVE-2020-15504),” Code White explains in a detailed technical blog post.
“The criticality of this new vulnerability is similar to the one used in the Asnarök campaign: exploitable pre-authentication either via an exposed user or admin portal.”
Code White reported the further issue it had uncovered – which involved the email quarantine release feature of XG Firewall – to Sophos via its BugCrowd vulnerability disclosure platform.
Sophos acted promptly to develop and release a hotfix in May, before releasing updated firmware that bundled the fix in June and July.
The availability of fixes, which mean the majority of vulnerable devices are now patched, allowed Code White to publish its findings in a detailed 5,500-plus word technical blog post.
Sophos told The Daily Swig that there was no evidence the flaw the German security consultancy had uncovered had been exploited in the wild.
“We immediately and aggressively remediated this discovery by Code White, which was responsibly disclosed to us,” the company said.
“There is no evidence the vulnerability was exploited and to our knowledge no customers are impacted.”
Code White agreed with this assessment.
“We have no indication that the zero-day RCE was public or known prior to our blog post release, and we don’t think that it was exploited according to the field experience we have for devices at our clients premises,” Code White’s David Elze told The Daily Swig.
Elze added that Sophos’ automated update mechanism meant that most users would be protected.
“In general, the automatic hotfix feature of Sophos XG Firewalls seems to be a very nice way to make sure that critical security patches are deployed very quickly which is something we do not see that often in other products,” he said.
RELATED Sophos XG Firewall zero-day vulnerability gets patched