Login Sign Up

CVE-2021-36807

8.8 HIGH
Remote Code Execution SQL Injection

📋 TL;DR

An authenticated user can execute arbitrary code through an SQL injection vulnerability in the Sophos SG UTM user portal. This affects organizations running SG UTM versions before 9.708 MR8, potentially compromising the security appliance.

💻 Affected Systems

Products:
  • Sophos SG UTM
Versions: Versions before 9.708 MR8
Operating Systems: Sophos SG UTM OS
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is in the user portal component; default configurations include this portal.

📦 What is this software?

Unified Threat Management Up2date by Sophos

View all CVEs affecting Unified Threat Management Up2date →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attacker to execute arbitrary code, access sensitive data, and pivot to internal networks.

🟠

Likely Case

Data exfiltration, privilege escalation, or manipulation of UTM configurations leading to further attacks.

🟢

If Mitigated

Limited impact if strong authentication, network segmentation, and input validation are in place, but risk remains.

🌐 Internet-Facing: HIGH if the user portal is exposed to the internet, as authenticated users could exploit it remotely.
🏢 Internal Only: HIGH for internal authenticated users, as they can exploit the vulnerability from within the network.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access; SQL injection is a common attack vector with low complexity.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 9.708 MR8 or later

Vendor Advisory: https://www.sophos.com/en-us/security-advisories/sophos-sa-20211126-sg-sqli

Restart Required: Yes

Instructions:

1. Log into the SG UTM admin interface. 2. Navigate to System > Update. 3. Check for and apply the update to version 9.708 MR8 or higher. 4. Restart the system as prompted.

🔧 Temporary Workarounds

Disable User Portal

all

Temporarily disable the vulnerable user portal to prevent exploitation.

Log into admin interface, go to Web > User Portal, and disable it.

Restrict Access

all

Limit network access to the user portal using firewall rules to trusted IPs only.

Configure firewall rules in SG UTM to allow only specific IPs to access the user portal.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate the SG UTM from critical systems.
  • Enforce strong authentication and monitor for unusual SQL queries in logs.

🔍 How to Verify

Check if Vulnerable:

Check the SG UTM version via the admin interface; if below 9.708 MR8, it is vulnerable.

Check Version:

Log into the admin web interface and navigate to System > Update to view the current version.

Verify Fix Applied:

After patching, confirm the version is 9.708 MR8 or higher in the System > Update section.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in user portal logs, unexpected authentication attempts, or error messages related to SQL injection.

Network Indicators:

  • Suspicious HTTP POST requests to user portal endpoints with SQL payloads.

SIEM Query:

Example: search for 'user_portal' AND ('sql' OR 'injection') in web server logs.

📊 Metadata

CVE ID: CVE-2021-36807
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: November 26, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36807, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)