Advisory: CVE-2017-10927 – Sophos Web Appliance PPD Injection


Sophos Web Appliance is a “next generation” anti-malware and content filtering proxy appliance created by Sophos.


During a review of Sophos Web Appliance, MDSec discovered a remote code injection vulnerability that can be exploited by a suitably positioned, unauthenticated attacker within the network.

Versions < of the appliance periodically makes a number of requests swa-dynamic.sophosupd.com to retrieve perl package description files, for example: – – [29/Jun/2017 16:55:02] “GET /swa/data/mainline/Sophos-Labs-Data.ppd HTTP/1.1” 200 – – – [29/Jun/2017 16:56:01] “GET /swa/data/mainline/Sophos-App-Control-Data.ppd HTTP/1.1” 200 – – [29/Jun/2017 16:57:02] “GET /swa/data/mainline/PureMessage-Sophos-Engine.ppd HTTP/1.1″ 200 –

These requests are performed over HTTP, meaning that a suitably positioned attacker within the network is able to intercept communications through either an DNS poisoning or ARP man-in-the-middle attack. The PPD packages retrieved by the appliance contain perl script that is ultimately executed. Furthermore, the user executing this unsigned script has unrestricted sudo privileges allowing for privilege escalation to root.

The attacker is able to gain code execution on the SWA by either replacing the archive, including the install.pl script within it, or by simply injecting arbitrary perl in to the install commands:

BEGIN { unlink __FILE__ } # Old ppm workaround
do ‘./install.pl’ || die “Install script did not succeed!\n$@$!\n”;

This issue was resolved in version of the appliance.


30-06-2017: MDSec contact security@sophos.com who provided the security-alert@ contact
30-06-2017: MDSec provide a PGP encrypted report of the vulnerability
30-06-2017: Sophos acknowledge receipt and pass the report on to the relevant team
30-06-2017: Sophos acknowledge the vulnerability as a known problem
18-07-2017: Sophos provide update reporting fix is causing issues and further trials are required
01-08-2017: Sophos contact MDSec documenting the fix is in place, they are now using cert pinning
08-08-2017: MDSec request permission to disclose
22-08-2017: Sophos confirm they’re happy to disclose this issue


This vulnerability was identified by @domchell.

MDSec would like to thank Sophos for their assistance in resolving and disclosing this vulnerability.

written by

MDSec Research

Ready to engage
with MDSec?

Copyright 2021 MDSec