Rapid7 researcher has presented additional details regarding the SonicWall bug in its Secure Mobile Access 100 network security devices that permit unauthenticated remote code execution (RCE) on compromised devices.
Last year in October, Rapid7 researcher Jake Baines uncovered five vulnerabilities in Sonic Wall’s Secure Mobile Access (SMA) 100 series of devices, which includes SMA 200, 210, 400, 410, and 500v.
The SMA 100 line was designed to offer end-to-end safe distant accessibility to corporate assets, be they hosted on-premise, in the cloud, or in hybrid data facilities. It also provides policy-enforced access control to apps immediately after creating user and device identity and trust.
The most severe of the flaws is CVE-2021-20038, with a rating of 9.8 on the Common Vulnerability Severity Scale (CVSS). It’s a stack buffer overflow bug allowing a threat actor to secure complete control of a device running SonicWall’s NAC solution.
According to the researcher, the bug is spotted in the manner the appliance handles Apache httpd calls. When the cgi_build_command function is called, the stack-based buffer can be overloaded and allow attackers to load up commands.
“The most prominent is the stored return address, the memory address at which execution should continue once the current function is finished executing,” Baines explained in the blog post. “The attacker can overwrite this value with some memory address to which the attacker also has to write access, into which they place arbitrary code to be run with the full privileges of the vulnerable program.”
The other bugs discovered include CVE-2021-20039, a command injection vulnerability with a rating of 7.2; CVE-2021-20040, a relative path traversal vulnerability with a rating of 6.5; CVE-2021-20041, an infinite loop flaw, and CVE-2021-20042, an unintended proxy or intermediary also known as a “confused deputy” vulnerability with a rating of 6.5.
In his analysis, Baines examined the SMA 500v firmware variations 9…11-31sv and 10.2.1.1-19sv discovering that CVE-2021-20038 and CVE-2021-20040 affect only equipment functioning version 10.2.x, though the remaining issues influence both firmware variations.
Raaid7 reported the five vulnerabilities to SonicWall on Oct. 18. On December 7, SonicWall released a security advisory and updates fixing the pbugs Baines had discovered.