CVE-2023-1671: Sophos Web Appliance — Pre-Auth Command Injection

Background

Sophos Web Appliance (SWA) is a hardware and virtual appliance providing web filtering, content scanning, and threat protection. It’s deployed at the network perimeter to inspect web traffic and block malicious content. The irony of a security appliance having a critical RCE isn’t lost on anyone.

CVE-2023-1671 was patched in April 2023 and was confirmed as exploited in the wild by CISA when it was added to the KEV catalogue. It’s particularly notable because the Sophos Web Appliance reached end-of-life on 20 July 2023 — meaning organisations that didn’t patch promptly and didn’t migrate were left with an unpatched, unsupported, internet-facing RCE.

Technical Mechanism

The Sophos Web Appliance has a warning page component that’s used to display block pages to users when the appliance blocks a website. This warning page handler contains a command injection vulnerability.

The vulnerability is in how certain parameters passed to the warning page handler are processed. A parameter (likely related to the URL being blocked or the reason for blocking) is passed to a system command without proper sanitisation. By sending a crafted HTTP request directly to the warning page handler with shell metacharacters in the parameter, an attacker can inject OS commands.

The warning/block page endpoint needs to be accessible to users (so they can see block notifications), which means it’s potentially accessible from both internal and external networks depending on the deployment. In some configurations, the appliance management interface may also be reachable from the internet.

Exploit flow:

1. Send a crafted HTTP request to the warning page endpoint
2. Parameter containing shell metacharacters (; command, $(command), etc.) is included
3. The underlying web application passes the unsanitised parameter to a system call
4. The injected command executes as the web application’s user (typically root or a privileged account on the appliance)
5. RCE achieved without any credentials

Real-World Exploitation Evidence

CISA confirmed active exploitation of CVE-2023-1671 when adding it to the KEV catalogue. Sophos’s own security blog has noted a pattern of state-sponsored actors targeting Sophos devices (documented in detail in their “Pacific Rim” report covering Chinese APT activity against Sophos products).

Key context:

• End-of-life timing — Sophos EOL’d the Web Appliance in July 2023, shortly after this patch; organisations had a narrow window to patch before losing support entirely
• Sophos appliance history — Sophos firewalls and other appliances have been repeatedly targeted; the “Pacific Rim” investigation documented years of Chinese state-sponsored attacks against Sophos network products
• Web filter context — a compromised web filtering appliance sees all unencrypted web traffic; even encrypted traffic metadata (hostnames, timing) is visible

Impact Assessment

• Root code execution on the web filtering appliance
• Proxy traffic interception — the appliance sees all web traffic proxied through it; compromise exposes this traffic
• Network pivot — the appliance sits between users and the internet; it has access to internal network segments
• Bypass of web filtering — a compromised appliance can be configured to pass malicious traffic that it would otherwise block
• Credential capture — traffic proxied via plaintext HTTP may contain credentials
• Persistent access — appliance persistence allows long-term undetected access

Affected Versions

Note: Sophos Web Appliance reached end-of-life on 20 July 2023. Remaining installations should be migrated to Sophos Proxy or an alternative solution.

Remediation Steps

1. Apply the 4.3.10.4 update if still on a supported version
2. Migrate away from Sophos Web Appliance — it is end-of-life; no further security patches will be issued
3. If the appliance cannot be immediately replaced or patched:
   • Restrict management interface access to trusted IPs only
   • Ensure the appliance is not directly internet-accessible
4. Check for signs of compromise:
   • Review appliance logs for unusual HTTP requests to the warning page handler
   • Look for unexpected processes or network connections from the appliance
5. If compromise is detected, treat all traffic that passed through the appliance as potentially captured
6. Rotate credentials for services that users accessed via the proxied web traffic

Detection Guidance

Appliance logs — review web server logs for requests to the block/warning page handler (/end-user.cgi or similar) from external sources or with unusual parameters.

Network monitoring — watch for unexpected outbound connections from the Sophos appliance IP that aren’t to configured update servers or management systems.

Unusual traffic patterns — a compromised proxy may start passing traffic it should be blocking; monitor for increased traffic to known malicious domains that the appliance should block.

Suricata signature:

alert http any any -> $SOPHOS_APPLIANCE_IPS any (msg:"Sophos Web Appliance CVE-2023-1671 Command Injection Attempt"; flow:established,to_server; http.uri; content:"/end-user"; http.request_body; content:"|3b|"; classtype:web-application-attack; sid:2034027; rev:1;)

Timeline