Critical SonicWall VPN Bugs Allow Complete Appliance Takeover

Code Html Technology Programming

Unauthenticated, remote attackers can achieve root-level RCE on SMA 100-series appliances.

Critical security vulnerabilities in SonicWall’s Secure Mobile Access (SMA) 100-series VPN appliances could allow an unauthenticated, remote user to execute code as root.

The SMA 100 line was created to provide end-to-end secure remote access to corporate resources, be they hosted on-prem, cloud or hybrid data centers. It also offers policy-enforced access control to applications after establishing user and device identity and trust.

The most severe of the bugs, officially an unauthenticated stack-based buffer overflow issue, carries a 9.8 out of 10 on the CVSS vulnerability-severity scale. If exploited, it could allow a remote unauthenticated attacker to execute code as a “nobody” user in the appliance, meaning the person enters as root. The adversary could go on to take complete control of the device, enabling and disabling security policies and access privileges for user accounts and applications.

The issue (CVE-2021-20038) arises because the strcat() function is used when handling environment variables from the HTTP GET method used in the appliance’s Apache httpd server.

“The vulnerability is due to the SonicWall SMA SSLVPN Apache httpd server GET method of mod_cgi module environment variables use a single stack-based buffer using `strcat,’” according to SonicWall’s security advisory, issued Tuesday.

Other Critical SonicWall CVEs
CVE-2021-20038 is just one of many bugs the vendor addressed this week. Also of note is another group of bugs, collectively tracked as CVE-2021-20045, which sports a combined critical CVSS score of 9.4. These are file explorer heap- and stack-based buffer overflows allowing remote code execution (RCE) as root.

“This vulnerability is due to the sonicfiles RAC_COPY_TO (RacNumber 36) method which allows users to upload files to an SMB share and can be called without any authentication,” according to the advisory. “RacNumber 36 of the sonicfiles API maps to the upload_file Python method and this is associated with filexplorer binary, which is a custom program written in C++ which is vulnerable to a number of memory-safety issues.”

There’s also CVE-2021-20043, with a critical CVSS score of 8.8, which is also a heap-based buffer overflow allowing root-level code execution, but it requires authentication to exploit. It’s found in the getBookmarks function and is also due to the unchecked use of strcat.

“This vulnerability is due to the RAC_GET_BOOKMARKS_HTML5 (RacNumber 35) method that allows users to list their bookmarks,” according to the advisory.

Read more at: threatpost.com