CVE-2023-30806 - OpenCVE

The Sangfor Next-Gen Application Firewall version NGAF8.0.17 is vulnerable to an operating system command injection vulnerability. A remote and unauthenticated attacker can execute arbitrary commands by sending a crafted HTTP POST request to the /cgi-bin/login.cgi endpoint. This is due to mishandling of shell meta-characters in the PHPSESSID cookie.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Sangfor	Next-gen Application Firewall

Configuration 1 [-]

cpe:2.3:a:sangfor:next-gen_application_firewall:ngaf8.0.17:*:*:*:*:*:*:*

References

Link	Resource
https://aws.amazon.com/marketplace/pp/prodview-uujwjffddxzp4	Product
https://labs.watchtowr.com/yet-more-unauth-remote-command-execution-vulns-in-firewalls-sangfor-edition/	Exploit Third Party Advisory
https://vulncheck.com/advisories/sangfor-ngaf-sessid-rce	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: VulnCheck

Published: 2023-10-10T14:27:42.771Z

Updated: 2023-10-10T14:27:42.771Z

Reserved: 2023-04-18T10:31:45.963Z

Link: CVE-2023-30806

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-10-10T15:15:10.170

Modified: 2023-10-13T15:00:30.383

Link: CVE-2023-30806

JSON object: View

Redhat Information

No data.

CWE

CWE-78

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-30806", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2023-04-18T10:31:45.963Z", "datePublished": "2023-10-10T14:27:42.771Z", "dateUpdated": "2023-10-10T14:27:42.771Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["Linux"], "product": "Net-Gen Application Firewall", "vendor": "Sangfor", "versions": [{"status": "affected", "version": "8.0.17"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "watchTowr Labs"}, {"lang": "en", "type": "reporter", "user": "00000000-0000-4000-9000-000000000000", "value": "watchTowr Labs"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>The Sangfor Next-Gen Application Firewall version NGAF8.0.17 is vulnerable to an operating system command injection vulnerability. A remote and unauthenticated attacker can execute arbitrary commands by sending a crafted HTTP POST request to the /cgi-bin/login.cgi endpoint. This is due to mishandling of shell meta-characters in the PHPSESSID cookie.<br></div>"}], "value": "The Sangfor Next-Gen Application Firewall version NGAF8.0.17 is vulnerable to an operating system command injection vulnerability. A remote and unauthenticated attacker can execute arbitrary commands by sending a crafted HTTP POST request to the /cgi-bin/login.cgi endpoint. This is due to mishandling of shell meta-characters in the PHPSESSID cookie.\n\n\n"}], "impacts": [{"capecId": "CAPEC-88", "descriptions": [{"lang": "en", "value": "CAPEC-88 OS Command Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2023-10-10T14:27:42.771Z"}, "references": [{"tags": ["third-party-advisory", "exploit", "technical-description"], "url": "https://labs.watchtowr.com/yet-more-unauth-remote-command-execution-vulns-in-firewalls-sangfor-edition/"}, {"tags": ["third-party-advisory"], "url": "https://vulncheck.com/advisories/sangfor-ngaf-sessid-rce"}, {"tags": ["product"], "url": "https://aws.amazon.com/marketplace/pp/prodview-uujwjffddxzp4"}], "source": {"discovery": "UNKNOWN"}, "title": "Sangfor Next-Gen Application Firewall PHPSESSID Command Injection", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sangfor:next-gen_application_firewall:ngaf8.0.17:*:*:*:*:*:*:*", "matchCriteriaId": "EDCE7CFB-D534-49FC-BAA2-C64A4A6F4630", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Sangfor Next-Gen Application Firewall version NGAF8.0.17 is vulnerable to an operating system command injection vulnerability. A remote and unauthenticated attacker can execute arbitrary commands by sending a crafted HTTP POST request to the /cgi-bin/login.cgi endpoint. This is due to mishandling of shell meta-characters in the PHPSESSID cookie.\n\n\n"}, {"lang": "es", "value": "La versi\u00f3n NGAF8.0.17 de Sangfor Next-Gen Application Firewall est\u00e1 afectada por una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo. Un atacante remoto y no autenticado puede ejecutar comandos arbitrarios enviando una solicitud HTTP POST manipulada al endpoint /cgi-bin/login.cgi. Esto se debe a un mal manejo de los metacaracteres del shell en la cookie PHPSESSID."}], "id": "CVE-2023-30806", "lastModified": "2023-10-13T15:00:30.383", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2023-10-10T15:15:10.170", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://aws.amazon.com/marketplace/pp/prodview-uujwjffddxzp4"}, {"source": "disclosure@vulncheck.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://labs.watchtowr.com/yet-more-unauth-remote-command-execution-vulns-in-firewalls-sangfor-edition/"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://vulncheck.com/advisories/sangfor-ngaf-sessid-rce"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-78"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}