usd-2020-0106 (CVE-2021-25273) | Sophos UTM


Advisory ID: usd-2020-0106
CVE Number: CVE-2021-25273
Affected Product: Sophos UTM
Affected Version: < UTM 9.706
Vulnerability Type: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Security Risk: Medium
Vendor URLhttps://sophos.com
Vendor Status: Fixed

Description

Sophos UTM offers a web interface to manage quarantined mails. The web-based interface did not filter user controlled inputs sufficiently, resulting in multiple Cross-Site Scripting (XSS) vulnerabilities.

Sophos UTM is a firewall solution by Sophos. It implements a web interface that allows authenticated users to manage quarantined mails. Additionally, users can inspect the contents of mails.

Sophos UTM fails to sanitize the following contents of mails before reflecting them within the web interface:

  • subject
  • filename(s) of attached file(s)
  • sender's name
  • mail body (actual contents)

As the mails are persistently stored, direct result of this behavior is stored XSS.

Proof of Concept (PoC)

1. Send an e-mail that purposely is sent to quarantine by Sophos UTM. This can be for instance achieved by including the "Generic Test for Unsolicited Bulk Email" (GTUBE) test string. Additionally, include the following markup:

<iframe src="asd">
<img src="x:gif" onerror="alert('asd')"></img>

2. Access the SMTP quarantine interface and display the detail view of the previously sent mail.

3. Observe that the XSS payload is executed within Sophos UTM's origin.

Fix

It is recommended to treat all input on the website as potentially dangerous. Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context. The majority of programming languages support standard procedures for encoding meta characters. For example, PHP has the built-in function htmlspecialchars().

Additionally, all input should be validated on the server-side. Where possible, whitelist filters should be used. The more restrictive a filter can be specified, the better the protection it provides. Whitelisting is especially recommended if input values have a well defined format or a list of valid input values exists. Invalid values should not be sanitized and forwarded to the application. Instead, requests with invalid values should be rejected.

Further details on how to prevent XSS vulnerabilities can be obtained from OWASP.

References

Timeline

  • 2020-10-07: Vulnerability reported by Daniel Hoffmann / Advisory created.
  • 2020-12-09: Sophos is not able to reproduce the reported issue.
  • 2021-02-02: We are finally able to reproduce the issue again and provide further information.
  • 2021-02-03: Sophos acknowledges that they were also able to reproduce the issue and are working on a fix.
  • 2021-05-03: Security advisory and update published by Sophos with UTM Up2Date 9.706.
  • 2021-11-30: Security advisory released by usd AG.

Credits

This security vulnerability was found by Daniel Hoffmann of usd AG.