CVE-2019-25395: Smoothwall Express XSS — Patch Guide

Overview

A significant security vulnerability exists in Smoothwall Express 3.1-SP4-polar-x86_64-update9, a popular firewall and network protection platform. This flaw allows attackers to inject malicious code into the system’s web management interface, which can then execute in the browsers of legitimate administrators.

Vulnerability Explained

In simple terms, this is a Stored Cross-Site Scripting (XSS) vulnerability. The web page used to configure system preferences (preferences.cgi) does not properly check or clean user input. Specifically, an attacker can submit specially crafted data in the HOSTNAME, KEYMAP, or OPENNESS configuration fields. This malicious code is then saved (or “stored”) on the Smoothwall system itself.

When an administrator later visits the preferences management page, the saved malicious script is automatically delivered and runs in their web browser, without requiring any further action from the attacker.

Potential Impact

The severity of this vulnerability is HIGH. Successful exploitation can lead to:

• Session Hijacking: An attacker can steal the administrator’s session cookies, granting them full, unauthorized access to the Smoothwall web interface.
• Complete System Compromise: With administrative control of the firewall, an attacker can change security rules, intercept network traffic, disable protections, or use the system as a foothold to attack other internal network devices.
• Data Theft: Sensitive network configuration data and logs can be exfiltrated.
• Defacement or Misinformation: The management interface could be altered to display incorrect information or attacker-controlled content.

The risk is particularly high because the attack targets administrators, who hold the highest level of privilege on the system.

Remediation and Mitigation

Immediate Action Required:

1. Apply Updates: This vulnerability was addressed in subsequent updates to Smoothwall Express. Immediately update to the latest patched version provided by the Smoothwall project. Consult the official Smoothwall Express website or repositories for the correct update path from your current version (3.1-SP4-polar-x86_64-update9).

2. Temporary Mitigation (If Update is Delayed):

   • Restrict Access: Ensure the Smoothwall web administration interface is only accessible from trusted, internal management networks. Never expose it directly to the internet.
   • Use Strong Authentication: Enforce strong, unique passwords for all administrative accounts.
   • Monitor Logs: Closely review web server and authentication logs for any suspicious POST requests to preferences.cgi containing unusual script-like patterns in the parameters.

General Best Practice: Treat your security appliance’s management interface with the same level of protection as your most critical systems. Regular updates and network segmentation are essential for defense-in-depth.