Multiple vulnerabilities in SonicWal SMA 100 products



Published: 2021-12-07 | Updated: 2022-01-25
Risk Critical
Patch available YES
Number of vulnerabilities 8
CVE-ID CVE-2021-20038
CVE-2021-20039
CVE-2021-20040
CVE-2021-20041
CVE-2021-20042
CVE-2021-20043
CVE-2021-20044
CVE-2021-20045
CWE-ID CWE-121
CWE-77
CWE-434
CWE-835
CWE-441
CWE-122
CWE-284
Exploitation vector Network
Public exploit Vulnerability #1 is being exploited in the wild.
Public exploit code for vulnerability #2 is available.
Vulnerable software
Subscribe
SMA 100
Hardware solutions / Security hardware applicances

Vendor SonicWall

Security Bulletin

This security bulletin contains information about 8 vulnerabilities.

1) Stack-based buffer overflow

EUVDB-ID: #VU58619

Risk: Critical

CVSSv3.1: 9.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2021-20038

CWE-ID: CWE-121 - Stack-based Buffer Overflow

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTTP GET requests in the SonicWall SMA SSLVPN. A remote unauthenticated attacker can send a specially crafted HTTP request to the SSL VPN interface, trigger a stack-based buffer overflow in the mod_cgi module and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SMA 100: 10.2.1.0-17sv - 10.2.1.2-24sv


CPE2.3 External links

http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

2) Command Injection

EUVDB-ID: #VU58620

Risk: High

CVSSv3.1: 9.2 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C]

CVE-ID: CVE-2021-20039

CWE-ID: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Exploit availability: Yes

Description

The vulnerability allows a remote user to compromise the affected system.

The vulnerability exists due to the SonicWall SMA SSLVPN `/cgi-bin/viewcert` endpoint allows users to upload, view, or delete SSL certificates. A remote authenticated user can send a specially crafted HTTP POST request to the affected SSL VPN interface and execute arbitrary commands on the system with root privileges.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SMA 100: 10.2.0.8-37sv - 9.0.0.11-31sv


CPE2.3 External links

http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

3) Arbitrary file upload

EUVDB-ID: #VU58621

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20040

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to the appliance allows unauthenticated file upload. A remote non-authenticated attacker can send a specially crafted HTTP request to the appliance and upload arbitrary file to any directory on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SMA 100: 10.2.0.8-37sv - 10.2.1.1-19sv


CPE2.3 External links

http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Infinite loop

EUVDB-ID: #VU58622

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20041

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in the "/fileshare/sonicfiles/sonicfiles" endpoint in the `fileexplorer` process. A remote non-authenticated attacker can send specially crafted HTTP request to the system and consume all available CPU resources.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SMA 100: 10.2.0.8-37sv - 9.0.0.11-31sv


CPE2.3 External links

http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Unintended Proxy or Intermediary

EUVDB-ID: #VU58623

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20042

CWE-ID: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to missing security checks that allow a remote non-authenticated attacker to bypass firewall rules and use undetected the appliance as intermediary proxy to access internal and external resources.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SMA 100: 10.2.0.8-37sv - 9.0.0.11-31sv


CPE2.3 External links

http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Heap-based buffer overflow

EUVDB-ID: #VU58624

Risk: High

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20043

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the RAC_GET_BOOKMARKS_HTML5 (RacNumber 35) method that allows users to list their bookmarks. A remote user can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SMA 100: 10.2.0.8-37sv - 10.2.1.1-19sv


CPE2.3 External links

http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Improper access control

EUVDB-ID: #VU58625

Risk: Medium

CVSSv3.1: 4.4 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20044

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote user to execute arbitrary code on the system.

The vulnerability exists due to improper access restrictions in the Management API. A remote user can bypass implemented security restrictions and execute system commands as ‘nobody’ user.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SMA 100: 10.2.0.8-37sv - 10.2.1.1-19sv


CPE2.3 External links

http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Heap-based buffer overflow

EUVDB-ID: #VU58626

Risk: Critical

CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-20045

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the RAC_COPY_TO (RacNumber 36) method which allows users to upload files to an SMB share and can be called without any authentication. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SMA 100: 10.2.0.8-37sv - 10.2.1.1-19sv


CPE2.3 External links

http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###