CVE-2019-25404
📋 TL;DR
Comodo Dome Firewall 2.7.0 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts into admin management parameters. When administrators access the interface, these scripts execute in their browser context, potentially compromising administrative sessions. This affects organizations using Comodo Dome Firewall 2.7.0 with authenticated user access.
💻 Affected Systems
- Comodo Dome Firewall
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could hijack administrator sessions, gain full administrative control of the firewall, modify security policies, exfiltrate sensitive configuration data, or pivot to internal networks.
Likely Case
Attackers with authenticated access could steal administrator session cookies, perform actions as administrators, or deploy additional malicious payloads through the firewall interface.
If Mitigated
With proper input validation and output encoding, malicious scripts would be sanitized before storage and execution, preventing successful exploitation.
🎯 Exploit Status
Exploit requires authenticated access but is straightforward to execute via crafted POST requests to the /korugan/admins endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.8.0 or later
Vendor Advisory: https://cdome.comodo.com/firewall/
Restart Required: Yes
Instructions:
1. Log into Comodo Dome Firewall admin interface. 2. Navigate to System > Upgrade. 3. Download and install version 2.8.0 or later. 4. Reboot the firewall appliance after installation completes.
🔧 Temporary Workarounds
Input Validation via WAF
allDeploy web application firewall rules to block malicious script injection in POST parameters
WAF-specific configuration required
Restrict Admin Interface Access
allLimit access to the /korugan/admins endpoint to trusted IP addresses only
firewall rule configuration required
🧯 If You Can't Patch
- Implement strict input validation and output encoding for all user-supplied data in the admin interface
- Monitor and audit all POST requests to the /korugan/admins endpoint for suspicious patterns
🔍 How to Verify
Check if Vulnerable:
Check if running Comodo Dome Firewall version 2.7.0 via admin interface System > About pageCheck Version:
Not applicable - check via web interface System > AboutVerify Fix Applied:
Verify version is 2.8.0 or later and test XSS payloads in admin_name, name, and surname parameters are properly sanitized📡 Detection & Monitoring
Log Indicators:
- POST requests to /korugan/admins containing script tags or JavaScript in parameters
- Unusual admin account modifications
Network Indicators:
- HTTP POST requests to firewall management interface with encoded script payloads
SIEM Query:
source="firewall_logs" AND uri_path="/korugan/admins" AND (http_method="POST") AND (param_name="admin_name" OR param_name="name" OR param_name="surname") AND (param_value CONTAINS "<script>" OR param_value CONTAINS "javascript:")