Researcher Warns of Threat Still Posed by Sophos SG UTM Flaw11 Months After Patch Issued, Many Tools May Remain Unpatched
A little-explored critical vulnerability in the WebAdmin of Sophos’ SG UTM - software used to configure the firewall and threat detection settings of Sophos’s Unified Threat Management hardware tool - remains a threat where unpatched some 11 months after a patch was issued, a researcher says.
Tracked as CVE-2020-25223, the flaw has a 9.8 - or extremely critical - rating. If exploited, it could enable remote code execution, says Justin Kennedy, a security researcher at information security consultancy Atredis Partners.
Sophos patched the flaw last September in versions v9.705 MR5, v9.607 MR7 and v9.511 MR11.
A Sophos spokesperson emphasized that the company notified customers of the urgency of patching the flaw last year and said the firm is "not aware of any attacks leveraging it."
But Kennedy found Sophos UTM device users who still had not applied the available fixes and when asked by ISMG about the likelihood of threat actors exploiting it in future, he replied, "Absolutely. It's hard to get more impactful than unauthenticated RCE as the root user."
Exploiting an RCE flaw could give an attacker the ability to modify computer files or access banking information, or it could be leveraged for further privilege escalation to get additional capabilities on a network, Kennedy says.
Responding to Kennedy’s research findings, Sophos tells Information Security Media Group: "The additional detail in the blog raises awareness about how important it is for organizations to constantly update and patch their software. The emphasis we want to underscore is that updating and patching is a critical security best practice that organizations of all sizes need to build into their ongoing maintenance routines. Users should also ensure their WebAdmin is not exposed to WAN, and deploy all maintenance releases."
Kennedy began his investigation of the root cause behind the exploitation of the RCE vulnerability by comparing the patched and unpatched versions of the SG UTM software. He found that an attacker could exploit the flaw by sending a single HTTP request to a WebAdmin interface of SG UTM exposed to the internet.
Kennedy found that an unnamed author on Seebug has published the "Sophos UTM firmware decompiled Perl source code." "The gist of the write-up is that the author found that the [.]plx files are Perl files that have been compiled using ActiveState's Perl Dev Kit and that you can access the original source by running the [.]plx file in a debugger, setting a break point, and recovering the script from memory. I went through this process and it worked surprisingly well."