CVE-2019-25394: Smoothwall Express XSS — Patch Guide

Overview

A significant security vulnerability has been identified in Smoothwall Express 3.1-SP4, a popular open-source firewall and network gateway solution. This flaw allows an attacker to inject malicious code into the system’s web interface, which is then executed in the browsers of legitimate administrators or users.

Vulnerability Explained

The vulnerability exists in the modem.cgi script, a component used for modem management. The script does not properly validate or sanitize user input in several parameters (INIT, HANGUP, SPEAKER_ON, SPEAKER_OFF, TONE_DIAL, PULSE_DIAL). An attacker can submit a specially crafted request containing malicious JavaScript code. This code is then stored by the application and later served to users who access the affected modem management page. When a user loads this page, the malicious script runs automatically in their browser. This type of attack is known as a Stored Cross-Site Scripting (XSS) vulnerability.

Potential Impact

The impact of this vulnerability is serious, with a CVSS score of 7.2 (High severity). Since the attack targets the administrative web interface, a successful exploit could lead to:

• Session Hijacking: An attacker could steal the session cookies of an authenticated administrator, granting them full control over the Smoothwall firewall without needing a password.
• Administrative Takeover: Malicious scripts could be used to change firewall rules, open ports, or create new administrative accounts.
• Defacement or Misinformation: The attacker could alter the content displayed on the web interface.
• Pivot Point: A compromised firewall can serve as a foothold for launching further attacks into the internal network it is designed to protect.

Remediation and Mitigation

Immediate action is required to protect affected systems.

1. Apply the Official Update: The primary and most effective remediation is to apply the official patch provided by the Smoothwall development team. Update to the latest version of Smoothwall Express 3.1 as specified in their security advisory. This is the only way to permanently resolve the underlying code flaw.

2. Immediate Mitigation (If Patching is Delayed):

   • Restrict Network Access: Ensure the Smoothwall administrative interface is not accessible from the public internet. It should only be reachable from a trusted, internal management network.
   • Use a Web Application Firewall (WAF): Deploy a WAF in front of the Smoothwall interface if possible. Configure it to block requests containing common XSS payloads targeting the affected parameters.
   • Principle of Least Privilege: Review and minimize the number of users with administrative access to the web interface.

3. General Security Hygiene:

   • Treat all user input as untrusted. This case underscores the critical need for rigorous input validation and output encoding in all web applications.
   • Regularly subscribe to security advisories for all software in your environment to ensure timely patching.

System administrators should prioritize patching this vulnerability due to the high level of access a successful exploit provides to a critical network security device.