CVE-2017-18014 in SFOS
Summary
by MITRE
An NC-25986 issue was discovered in the Logging subsystem of Sophos XG Firewall with SFOS before 17.0.3 MR3. An unauthenticated user can trigger a persistent XSS vulnerability found in the WAF log page (Control Center -> Log Viewer -> in the filter option "Web Server Protection") in the webadmin interface, and execute any action available to the webadmin of the firewall (e.g., creating a new user, enabling SSH, or adding an SSH authorized key). The WAF log page will execute the "User-Agent" parameter in the HTTP POST request.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 12/29/2019
The vulnerability identified as CVE-2017-18014 represents a critical persistent cross-site scripting flaw within the Sophos XG Firewall's logging subsystem. This issue affects devices running SFOS versions prior to 17.0.3 MR3 and stems from inadequate input validation within the webadmin interface's WAF log page functionality. The vulnerability specifically manifests in the filter options of the Log Viewer section under Control Center, where the User-Agent parameter from HTTP POST requests is executed without proper sanitization or encoding. This design flaw allows unauthenticated attackers to inject malicious scripts that persist in the log entries, making the vulnerability particularly dangerous as it can be triggered by any user accessing the affected page.
The technical exploitation of this vulnerability occurs through the manipulation of HTTP headers, specifically the User-Agent field, which is processed and displayed within the webadmin interface's WAF log viewer. When an attacker crafts a malicious User-Agent string containing JavaScript code and submits it through a POST request, the firewall's logging subsystem stores this input without proper validation. The stored payload then executes whenever any user, including legitimate administrators, views the WAF log page, effectively providing attackers with the ability to perform arbitrary actions within the firewall's administrative interface. This persistent nature of the vulnerability means that the malicious code remains active even after the initial request, continuously executing against any user who accesses the vulnerable page.
The operational impact of this vulnerability extends far beyond simple script execution, as it provides attackers with complete administrative control over the affected firewall. The compromised system allows unauthorized users to create new administrative accounts, enable remote access protocols such as SSH, and add SSH authorized keys, effectively granting persistent access to the network infrastructure. This privilege escalation capability directly violates the principle of least privilege and creates a persistent backdoor within the organization's network security perimeter. The vulnerability affects the core security functionality of the firewall, potentially allowing attackers to bypass network controls, monitor traffic, and modify security policies, making it a severe threat to network integrity and security posture.
Organizations should immediately implement mitigations including upgrading to SFOS version 17.0.3 MR3 or later, which includes proper input validation and sanitization for the affected logging functionality. Network administrators should also consider implementing additional monitoring for suspicious User-Agent strings and HTTP requests that may indicate exploitation attempts. The vulnerability aligns with CWE-79 Cross-site Scripting and follows patterns described in ATT&CK technique T1059 Command and Scripting Interpreter, where adversaries leverage web application vulnerabilities to execute malicious code. Security teams should also review their firewall's administrative access controls and implement network segmentation to limit the potential impact of such compromises. The persistent nature of the vulnerability makes it particularly dangerous in environments where administrators regularly access log files, as the attack can remain undetected for extended periods while providing continuous unauthorized access to critical network infrastructure.