PT-2019-9222 · Sophos · Sophos Firewall

Published

2019-06-20

Updated

2019-06-25

CVE-2018-16118

CVSS v2.0

9.3

High

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Sophos XG firewall version 17.0.8 MR-8

Description A shell escape issue in the API Configuration component allows remote attackers to execute arbitrary OS commands. This is achieved by injecting shell metacharacters into the X-Forwarded-for HTTP header in the /webconsole/APIController API endpoint.

Recommendations For Sophos XG firewall version 17.0.8 MR-8, consider restricting access to the /webconsole/APIController API endpoint until a patch is available. As a temporary workaround, avoid using the X-Forwarded-for HTTP header in this endpoint to minimize the risk of exploitation.

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

CVE-2018-16118

Affected Products

Sophos Firewall

PT-2019-9222 · Sophos · Sophos Firewall

CVE-2018-16118

Weakness Enumeration

Related Identifiers

Affected Products

References · 5