CVE-2019-25379: Smoothwall Express XSS — Patch Guide

Vendor-confirmed - CVE-2019-25379 is a high cross-site scripting vulnerability in Smoothwall Express firewalls that lets an attacker hijack administrator sessions, deface the interface, and reconfigure firewall rules without authentication. Apply the official patch immediately to prevent persistent compromise.

Overview

A significant security vulnerability has been identified in Smoothwall Express, a popular open-source firewall and network security platform. This flaw allows an attacker to inject malicious scripts into the firewall’s web interface, which can then be executed in the browsers of legitimate administrators or users.

Vulnerability Details

The vulnerability exists within the urlfilter.cgi endpoint of the Smoothwall web administration panel. An attacker can exploit this by submitting specially crafted web requests containing malicious JavaScript code. This code can be hidden within two specific parameters:

• REDIRECT_PAGE
• CHILDREN

There are two primary methods of attack:

1. Stored XSS: Malicious scripts are saved on the system and then served to every user who visits a compromised page, creating a persistent threat.
2. Reflected XSS: Malicious scripts are embedded in a link. When an administrator clicks the link, the script executes immediately in their browser session.

Potential Impact

The impact of this vulnerability is serious. By exploiting it, an attacker could:

• Hijack Administrator Sessions: Steal the session cookies of logged-in administrators, granting the attacker full control over the Smoothwall firewall without needing a password.
• Deface or Manipulate the Interface: Alter the web interface to display false information or create fraudulent forms to harvest credentials.
• Perform Actions as the Administrator: Execute any action within the administrative interface, such as creating firewall rules to allow malicious traffic, disabling security features, or exporting sensitive configuration data.
• Redirect Users: Redirect administrators to phishing sites designed to steal further credentials.

This vulnerability is rated as HIGH severity with a CVSS score of 7.2.

Remediation and Mitigation

Immediate action is required to secure affected systems.

Primary Solution: Apply the Official Patch The most effective remediation is to update Smoothwall Express to a patched version. Consult the official Smoothwall project channels or your distribution maintainer for the specific update that addresses CVE-2019-25379. Apply this update during a scheduled maintenance window.

Temporary Mitigation (If Patching is Delayed): If an immediate update is not possible, consider these temporary measures:

• Restrict Access: Ensure the Smoothwall web administration interface is only accessible from trusted, internal management networks and never exposed to the internet.
• Network Segmentation: Place the management interface on a dedicated VLAN with strict access controls.
• User Vigilance: Advise all administrators to be cautious of unexpected links or unusual behavior within the web interface and to log out of sessions when not in use.

Verification: After applying the patch, test the urlfilter.cgi functionality to ensure it operates normally while rejecting inputs that contain HTML or script tags in the affected parameters.