Security Announcement:
The Sangfor security team recently received vulnerability reports for Sangfor Next-Generation Application Firewall (NGAF) from researcher Sonny Macdonald of the watchTowr team. After the public disclosure of these vulnerabilities by watchTowr in an article on October 5, 2023, and the subsequent release of further details, Sangfor conducted an internal investigation. It has been verified that these vulnerabilities were present in versions AF8.0.17 (released in 2019) and earlier. These issues have been addressed in versions later than AF8.0.17 and in subsequent patches. On October 10, 2023, Sangfor reached out to Sonny Macdonald to clarify his findings but has yet to receive a response. We extend our thanks to Sonny for his interest in Sangfor products.
Details of the vulnerabilities are as follows:
1) CVE-2023-30802: Source Code Disclosure Vulnerability
Description: A remote and unauthenticated attacker can obtain PHP source code by sending an HTTP request with an invalid Content-Length field.
Affected Versions: AF8.0.7-AF8.0.17
Solutions:
- Upgrade to versions later than AF8.0.17.
- Install the patch bundle SP_AF_JG_25 or above. It's recommended to install the latest SP_AF_JG_26 patch bundle.
2) CVE-2023-30803: Authentication Bypass Vulnerability
Description: A remote and unauthenticated attacker can bypass authentication and access administrative functionality by sending HTTP requests using a crafted Y-forwarded-for header.
Affected Versions: AF8.0.7-AF8.0.17
Solutions:
- Upgrade to versions later than AF8.0.17.
- Install the patch hwbd_v3_sp, released in 2020. This patch is included in patch bundles SP_AF_JG_01 and above. It's recommended to install the latest SP_AF_JG_26 patch bundle.
3) CVE-2023-30804: File Disclosure Vulnerability
Description: A remote and authenticated attacker can read arbitrary system files using the svpn_html/loadfile.php endpoint. This issue is exploitable by a remote and unauthenticated attacker when paired with CVE-2023-30803.
Affected Versions: AF5.4-AF8.0.17
Solutions:
- Upgrade to versions later than AF8.0.17.
- Install the patch hwbd_v3_sp, released in 2020. This patch is included in patch bundles SP_AF_JG_01 and above. It's recommended to install the latest SP_AF_JG_26 patch bundle.
4) CVE-2023-30805: Command Injection Vulnerability
Description: A remote and unauthenticated attacker can execute arbitrary commands by sending a crafted HTTP POST request to the /LogInOut.php endpoint. This is due to the mishandling of shell meta-characters in the "un" parameter.
Affected Versions: AF7.0-AF8.0.17
Solutions:
- Upgrade to versions later than AF8.0.17.
- Install the patch ymsj_sp, released in 2020. This patch is included in patch bundles SP_AF_JG_01 and above. It's recommended to install the latest SP_AF_JG_26 patch bundle.
5) CVE-2023-30806: Command Injection Vulnerability
Description: A remote and unauthenticated attacker can execute arbitrary commands by sending a crafted HTTP POST request to the /cgi-bin/login.cgi endpoint. This is due to the mishandling of shell meta-characters in the PHPSESSID cookie.
Affected Versions: AF8.0.7-AF8.0.17
Solutions:
- Upgrade to versions later than AF8.0.17.
- Install the patch hwbd_v3_sp, released in 2020. This patch is included in patch bundles SP_AF_JG_01 and above. It's recommended to install the latest SP_AF_JG_26 patch bundle.
Patch Acquisition:
Sangfor NGAF customers can obtain the patches by contacting Sangfor’s Global Technical Services at +60 12 711 7511 (7129) or tech.support@sangfor.com. You can also contact your local Sangfor technical support team. Contact details can be found at https://www.sangfor.com/support/technical-support.
Disclaimer:
Any software or patch downloaded and used from the Sangfor service page is copyrighted by Sangfor and/or its suppliers. Without Sangfor's permission, you may not disclose any related information to third parties. Except for the software or patch’s intended purpose, you may not further copy, modify, distribute, publish, license, transfer, sell, or attempt to extract its source code by means such as decompilation. This document does not provide any explicit, implied, or statutory warranties, including but not limited to warranties of merchantability, fitness, and non-infringement. Under no circumstances shall Sangfor Technologies Ltd. or its direct or indirect subsidiaries be liable for any damages, including direct, indirect, incidental, and consequential loss of business profits or special damages. Any legal responsibility arising from any means of using this document shall be borne by you. Sangfor reserves the right to modify or update the content and information of this document at any time.
Update History:
2023-10-12 V1.0 Initial release.