CVE-2017-6315
📋 TL;DR
CVE-2017-6315 is a critical remote code execution vulnerability in Astaro Security Gateway (ASG) 7 that allows attackers to execute arbitrary code via crafted requests to index.plx. This affects all ASG 7 installations, potentially giving attackers complete control over the security gateway.
💻 Affected Systems
- Astaro Security Gateway (ASG)
📦 What is this software?
Astaro Security Gateway Firmware by Sophos
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the security gateway, allowing attackers to pivot to internal networks, intercept traffic, disable security controls, and establish persistent access.
Likely Case
Remote code execution leading to gateway compromise, credential theft, network reconnaissance, and potential lateral movement to protected internal systems.
If Mitigated
Limited impact with proper network segmentation, but still represents a significant security breach requiring immediate remediation.
🎯 Exploit Status
Public exploit code is available and trivial to use. The vulnerability requires no authentication and has minimal prerequisites for successful exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to Sophos UTM 9 or later (ASG was rebranded to Sophos UTM)
Vendor Advisory: https://community.sophos.com/b/security-blog/posts/critical-vulnerability-in-astaro-security-gateway-7-cve-2017-6315
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download latest Sophos UTM firmware. 3. Apply update via web interface. 4. Reboot system. 5. Verify update successful.
🔧 Temporary Workarounds
Restrict access to web interface
allLimit access to ASG web administration interface to trusted IP addresses only
Configure firewall rules to restrict access to ASG web interface ports (default 4444 for HTTPS)
Disable web interface if not needed
linuxTemporarily disable the web administration interface if console/SSH management is sufficient
Disable web administration service via CLI: system services webadmin disable
🧯 If You Can't Patch
- Immediately restrict network access to ASG management interface using firewall rules
- Implement network segmentation to isolate ASG from critical internal networks
🔍 How to Verify
Check if Vulnerable:
Check ASG version via web interface or CLI: cat /etc/version | grep 'ASG 7'Check Version:
cat /etc/versionVerify Fix Applied:
Verify version is updated: cat /etc/version should show Sophos UTM 9 or later📡 Detection & Monitoring
Log Indicators:
- Unusual requests to index.plx
- Multiple failed authentication attempts followed by successful exploit
- Suspicious process creation from web server
Network Indicators:
- Unusual outbound connections from ASG
- Traffic patterns indicating reverse shells
- Exploit payloads in HTTP requests
SIEM Query:
source="asg_logs" AND (uri="*index.plx*" OR process="*suspicious*" OR event="*exploit*")