SB2021120713 - Multiple vulnerabilities in SonicWal SMA 100 products

Description

This security bulletin contains information about 8 secuirty vulnerabilities.

1) Stack-based buffer overflow (CVE-ID: CVE-2021-20038)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error when processing HTTP GET requests in the SonicWall SMA SSLVPN. A remote unauthenticated attacker can send a specially crafted HTTP request to the SSL VPN interface, trigger a stack-based buffer overflow in the mod_cgi module and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Command Injection (CVE-ID: CVE-2021-20039)

The vulnerability allows a remote user to compromise the affected system.

The vulnerability exists due to the SonicWall SMA SSLVPN `/cgi-bin/viewcert` endpoint allows users to upload, view, or delete SSL certificates. A remote authenticated user can send a specially crafted HTTP POST request to the affected SSL VPN interface and execute arbitrary commands on the system with root privileges.

3) Arbitrary file upload (CVE-ID: CVE-2021-20040)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to the appliance allows unauthenticated file upload. A remote non-authenticated attacker can send a specially crafted HTTP request to the appliance and upload arbitrary file to any directory on the system.

4) Infinite loop (CVE-ID: CVE-2021-20041)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in the "/fileshare/sonicfiles/sonicfiles" endpoint in the `fileexplorer` process. A remote non-authenticated attacker can send specially crafted HTTP request to the system and consume all available CPU resources.

5) Unintended Proxy or Intermediary (CVE-ID: CVE-2021-20042)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to missing security checks that allow a remote non-authenticated attacker to bypass firewall rules and use undetected the appliance as intermediary proxy to access internal and external resources.

6) Heap-based buffer overflow (CVE-ID: CVE-2021-20043)

The vulnerability allows a remote user to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the RAC_GET_BOOKMARKS_HTML5 (RacNumber 35) method that allows users to list their bookmarks. A remote user can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

7) Improper access control (CVE-ID: CVE-2021-20044)

The vulnerability allows a remote user to execute arbitrary code on the system.

The vulnerability exists due to improper access restrictions in the Management API. A remote user can bypass implemented security restrictions and execute system commands as ‘nobody’ user.

8) Heap-based buffer overflow (CVE-ID: CVE-2021-20045)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in the RAC_COPY_TO (RacNumber 36) method which allows users to upload files to an SMB share and can be called without any authentication. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

References

• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026