Privilege escalation in SonicWall SMA 1000



Published: 2022-08-09 | Updated: 2022-12-22
Risk Low
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2021-33909
CVE-2022-0847
CWE-ID CWE-190
CWE-908
Exploitation vector Local
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerability #2 is being exploited in the wild.
Vulnerable software
Subscribe 		SonicWall SMA 1000
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor SonicWall

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Integer overflow

EUVDB-ID: #VU55143

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-33909

CWE-ID: CWE-190 - Integer overflow

Exploit availability: Yes

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to integer overflow during size_t-to-int conversion when creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB. An unprivileged local user can write up to 10-byte string to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer.

Successful exploitation of vulnerability may allow an attacker to exploit the our-of-bounds write vulnerability to execute arbitrary code with root privileges.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SonicWall SMA 1000: 12.4.0 - 12.4.2-02044

CPE2.3 External links

http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0015

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

2) Use of uninitialized resource

EUVDB-ID: #VU61110

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-0847

CWE-ID: CWE-908 - Use of Uninitialized Resource

Exploit availability: Yes

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to usage of an uninitialized resources. A local user can overwrite arbitrary file in the page cache, even if the file is read-only, and execute arbitrary code on the system with elevated privileges.

The vulnerability was dubbed Dirty Pipe.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SonicWall SMA 1000: 12.4.0 - 12.4.2-02044

CPE2.3 External links

http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0015

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###