Jan 11, 2022
72 Views
0 0

Critical SonicWall NAC Vulnerability Stems from Apache Mods

Written by

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
Researchers offer more detail on the bug, which can allow attackers to completely take over targets.
Rapid7 has offered up more details on a SonicWall critical flaw that allows for unauthenticated remote code execution (RCE) on affected devices, noting that it arises from tweaks that the vendor made to the Apache httpd server.
The bug (CVE-2021-20038) is one of five vulnerabilities discovered in its series of popular network access control (NAC) system products.
In October, Rapid7 lead security researcher Jake Baines discovered the flaws in Sonic Wall’s Secure Mobile Access (SMA) 100 series of devices, which includes SMA 200, 210, 400, 410 and 500v, he wrote in a report published Tuesday.

Sonic Wall’s SMA 100 line provides end-to-end secure remote access to corporate resources, whether they are hosted on-premise, in the cloud or in hybrid data centers. The suite also offers policy-enforced access control for corporate users to applications after establishing user and device identity and trust.
CVE-2021-20038 is the most critical of the flaws, with a rating of 9.8 on the Common Vulnerability Scoring System (CVSS). It’s a stack buffer overflow vulnerability that an attacker can exploit to gain complete control of a device or virtual machine that’s running SonicWall’s NAC solution.
The flaw allows attackers to overwrite several security-critical data on an execution stack that can lead to arbitrary code execution, according to its advisory listing on the Common Weakness Enumeration website.
“The most prominent is the stored return address, the memory address at which execution should continue once the current function is finished executing,” according to the advisory. “The attacker can overwrite this value with some memory address to which the attacker also has write access, into which they place arbitrary code to be run with the full privileges of the vulnerable program.”
The stack-based buffer overflow flaw discovered by Baines affects SonicWall SMA 100 series version: 10.2.1.1-19sv and is by far is the most dangerous for affected devices, and thus the most advantageous for attackers, he wrote.
By exploiting the issue, attackers “can get complete control of the device or virtual machine” that’s running the appliance, according to the report.
“This can allow attackers to install malware to intercept authentication material from authorized users, or reach back into the networks protected by these devices for further attack,” Baines wrote.
This week, Baines revealed that the problem in the device lies in its web server, which is “a slightly modified version of the Apache httpd server,” he explained in the report, shared with Threatpost ahead of publication.
One of the notable modifications is in the mod_cgi module (/lib/mod_cgi.so) and, specifically, a custom version of the cgi_build_command function that appends all the environment variables onto a single stack-based buffer using strcat, Baines wrote.
“There is no bounds checking on this environment string buildup, so if a malicious attacker were to generate an overly long QUERY_STRING then they can overflow the stack-based buffer,” he explained. This results in a crash that compromises the device, Baines wrote.
“Technically, the … crash is due to an invalid read, but you can see the stack has been
successfully overwritten,” he wrote. “A functional exploit should be able to return to an attacker’s desired address.”
Since edge-based NAC devices “are especially attractive targets for attackers,” Baines said it’s essential that companies with networks that use SonicWall’s SMA 100 series devices in whatever form apply SonicWall’s update as quickly as possible to fix the issues, Baines said.
The other flaws discovered by Barnes were rated with CVSS severity in the range of 6.5 to 7.5. They include an “improper neutralization of special elements used in an OS command,” or OS command injection flaw with a rating of 7.2 (CVE-2021-20039); a relative path traversal vulnerability with a rating of 6.5 (CVE-2021-20040); a loop with unreachable exit condition, or infinite loop flaw with a rating of 7.5 (CVE-2021-20041); and an unintended proxy or intermediary also known as a “confused deputy” vulnerability with a rating of 6.5 (CVE-2021-20042).
In his research, Baines tested the SMA 500v firmware versions 9.0.0.11-31sv and 10.2.1.1-19sv finding that CVE-2021-20038 and CVE-2021-20040 affect only devices running version 10.2.x, while the remaining issues affect both firmware versions.
Baines reported the flaws to SonicWall and worked with the vendor to remediate the vulnerabilities over a period of about two months. On Dec. 7, SonicWall released a security advisory and updates fixing the problems Baines had identified.
His report details each flaw and its impact and was published according to Rapid7’s vulnerability disclosure policy.
Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this FREE session today – sponsored by Specops Software.
Share this article:
The large January 2022 Patch Tuesday update covers nine critical CVEs, including a self-propagator with a 9.8 CVSS score.
The flaw could allow attackers to bypass Privacy preferences, giving apps with no right to access files, microphones or cameras the ability to record you or grab screenshots.
Record-number WordPress plugin vulnerabilities are wicked exploitable even with low CVSS scores, leaving security teams blind to their risk.


This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
1.8M+ attacks, against half of all corporate networks, are attempting to exploit #Log4Shell, including with a new r… https://t.co/dDky1faadm
4 weeks ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

Article Categories:
Vulnerabilities

Comments are closed.