Content filtering software vendor has appeared to ignore calls to resolve the critical security flaw
UPDATE (May 6, 2020; 15:04 UTC) Netsweeper has now issued a patch to address this vulnerability. Check out our latest article for details.
Netsweeper is harboring an unpatched, severe RCE flaw that could expose countless companies and their subscribers to the hijack of content filtering and webpage viewing systems.
Netsweeper describes itself as a provider of application and internet content filtering solutions for organizations, educational establishments, governments, and ISPs.
Adult web pages related to content including pornography and gambling, alongside phishing attempts and malicious domains, are blocked by Netsweeper.
However, a severe vulnerability in the software has seemingly been ignored for weeks.
On April 28, Noam Rathaus, CTO and co-founder of Beyond Security, disclosed a critical issue in the Netsweeper portal that remains unpatched at the time of writing.
Impacting Netsweeper webadmin versions 6.4.3 and below, the security flaw is severe enough that it can be exploited to trigger a pre-authentication remote code execution (RCE) attack.
Rathaus’ security advisory, reported to the SSD Secure Disclosure program, states that the bug is located in the platform’s /webadmin/tools/unixlogin.php script.
The endpoint script receives three variables: ‘login’, ‘password’, and ‘timeout’.
In the authentication check, it is possible to manipulate the password parameter using a crafted password to control Python commands, resulting in RCE.
Speaking to The Daily Swig, the cybersecurity researcher said there are two main ramifications of the security issue to consider.
The first, deemed “less interesting” by Rathaus, is the possibility of removing content and filtering restrictions.
The second, however, could be far more damaging. Attackers could see, at the individual level, what websites users are visiting, and they could also take over traffic channels and redirect users to “unintentionally download malware and viruses”.
The researcher made a number of attempts to contact Netsweeper over a period of three weeks but has been met with radio silence.
“We were not able to get the vendor to respond to our advisory or fix it [so] we decided that the best course of action at the moment is to release a full advisory,” Rathaus told us.
“Hopefully, this can reach the right person that can get them to patch it.”
Rathaus recommends that while the security vulnerability remains unpatched, users should limit access to the webadmin interface using product or URL access/port restrictions.
The Daily Swig has reached out to Netsweeper and will update if and when we hear back.