SonicWall Secure Mobile Access Multiple Vulnerabilities (SNWLID-2021-0026)

critical Nessus Plugin ID 155961

Synopsis

The remote host is affected by multiple vulnerabilities.

Description

According to its self-reported version, the remote SonicWall Secure Mobile Access is affected by multiple vulnerabilities, including:

- An unauthenticated stack-based buffer overflow due to the SonicWall SMA SSLVPN Apache httpd server GET method of mod_cgi module environment variables use a single stack-based buffer using `strcat`. This can allow a remote, unauthenticated attacker to execute arbitrary code. (CVE-2021-20038)

- Multiple unauthenticated file explorer heap-based and stack-based buffer overflows due the sonicfiles RAC_COPY_TO (RacNumber 36) method which allows users to upload files to an SMB share and can be called without any authentication. This can allow a remote, unauthenticated attacker to execute arbitrary code as the nobody user.
(CVE-2021-20045)

- A heap-based buffer overflow due to the RAC_GET_BOOKMARKS_HTML5 (RacNumber 35) method that allows users to list their bookmarks. This method is vulnerable to heap-based buffer-overflow, due to unchecked use of strcat. This can allow a remote, authenticated attacker to execute arbitrary code as the nobody user. (CVE-2021-20043)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to version 10.2.0.9-41sv or 10.2.1.3-27sv or later.

See Also

http://www.nessus.org/u?e1e1dbee

http://www.nessus.org/u?01c34e29

Plugin Details

Severity: Critical

ID: 155961

File Name: sonicwall_sma_SNWLID-2021-0026.nasl

Version: 1.8

Type: remote

Family: CGI abuses

Published: 12/9/2021

Updated: 5/6/2022

Risk Information

CVSS Score Source: CVE-2021-20044

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7.8

Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

Temporal Vector: E:H/RL:OF/RC:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:sonicwall:sma_100_firmware

Required KB Items: installed_sw/SonicWall Secure Mobile Access

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/7/2021

Vulnerability Publication Date: 12/7/2021

CISA Known Exploited Dates: 2/11/2022

Exploitable With

Metasploit (SonicWall SMA 100 Series Authenticated Command Injection)

Reference Information

CVE: CVE-2021-20038, CVE-2021-20039, CVE-2021-20040, CVE-2021-20041, CVE-2021-20042, CVE-2021-20043, CVE-2021-20044, CVE-2021-20045

IAVA: 2021-A-0572