SB2021120713 - Multiple vulnerabilities in SonicWal SMA 100 products

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2021120713

SB2021120713 - Multiple vulnerabilities in SonicWal SMA 100 products

Published: December 7, 2021 Updated: January 25, 2022

Security Bulletin ID SB2021120713
CSH Severity
Critical
Patch available
YES
Number of vulnerabilities 8
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Critical 25% High 50% Medium 25%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 8 vulnerabilities.


1) Stack-based buffer overflow (CVE-ID: CVE-2021-20038)

CWE-ID: CWE-121 - Stack-based buffer overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTTP GET requests in the SonicWall SMA SSLVPN. A remote unauthenticated attacker can send a specially crafted HTTP request to the SSL VPN interface, trigger a stack-based buffer overflow in the mod_cgi module and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


2) Command Injection (CVE-ID: CVE-2021-20039)

CWE-ID: CWE-77 - Command injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber


The vulnerability allows a remote user to compromise the affected system.

The vulnerability exists due to the SonicWall SMA SSLVPN `/cgi-bin/viewcert` endpoint allows users to upload, view, or delete SSL certificates. A remote authenticated user can send a specially crafted HTTP POST request to the affected SSL VPN interface and execute arbitrary commands on the system with root privileges.


3) Arbitrary file upload (CVE-ID: CVE-2021-20040)

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to the appliance allows unauthenticated file upload. A remote non-authenticated attacker can send a specially crafted HTTP request to the appliance and upload arbitrary file to any directory on the system.


4) Infinite loop (CVE-ID: CVE-2021-20041)

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in the "/fileshare/sonicfiles/sonicfiles" endpoint in the `fileexplorer` process. A remote non-authenticated attacker can send specially crafted HTTP request to the system and consume all available CPU resources.


5) Unintended Proxy or Intermediary (CVE-ID: CVE-2021-20042)

CWE-ID: CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to missing security checks that allow a remote non-authenticated attacker to bypass firewall rules and use undetected the appliance as intermediary proxy to access internal and external resources.


6) Heap-based buffer overflow (CVE-ID: CVE-2021-20043)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the RAC_GET_BOOKMARKS_HTML5 (RacNumber 35) method that allows users to list their bookmarks. A remote user can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


7) Improper access control (CVE-ID: CVE-2021-20044)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary code on the system.

The vulnerability exists due to improper access restrictions in the Management API. A remote user can bypass implemented security restrictions and execute system commands as ‘nobody’ user.


8) Heap-based buffer overflow (CVE-ID: CVE-2021-20045)

CWE-ID: CWE-122 - Heap-based Buffer Overflow

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red


The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the RAC_COPY_TO (RacNumber 36) method which allows users to upload files to an SMB share and can be called without any authentication. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.


Remediation

Install update from vendor's website.

References