Critical SonicWall NAC Vulnerability Stems from Apache Mods

Speedy7 has available up far more aspects on a SonicWall critical flaw that permits for unauthenticated remote code execution (RCE) on influenced units, noting that it arises from tweaks that the seller produced to the Apache httpd server.

The bug (CVE-2021-20038) is one particular of five vulnerabilities learned in its collection of preferred network accessibility regulate (NAC) system merchandise.

In Oct, Fast7 lead security researcher Jake Baines found the flaws in Sonic Wall’s Secure Cellular Obtain (SMA) 100 collection of units, which involves SMA 200, 210, 400, 410 and 500v, he wrote in a report posted Tuesday.

Sonic Wall’s SMA 100 line offers conclude-to-end safe distant accessibility to corporate assets, irrespective of whether they are hosted on-premise, in the cloud or in hybrid knowledge facilities. The suite also provides policy-enforced obtain handle for company end users to apps immediately after creating person and system identification and have confidence in.

CVE-2021-20038 is the most critical of the flaws, with a rating of 9.8 on the Typical Vulnerability Scoring Technique (CVSS). It’s a stack buffer overflow vulnerability that an attacker can exploit to obtain finish regulate of a product or virtual machine that is running SonicWall’s NAC option.

The flaw permits attackers to overwrite several security-critical info on an execution stack that can lead to arbitrary code execution, according to its advisory listing on the Typical Weak point Enumeration web site.

“The most outstanding is the saved return handle, the memory tackle at which execution ought to proceed when the current functionality is finished executing,” in accordance to the advisory. “The attacker can overwrite this benefit with some memory handle to which the attacker also has publish entry, into which they spot arbitrary code to be operate with the whole privileges of the vulnerable software.”

Exploiting the Critical Vulnerability

The stack-based buffer overflow flaw discovered by Baines affects SonicWall SMA 100 series edition: 10.2.1.1-19sv and is by considerably is the most unsafe for afflicted gadgets, and therefore the most useful for attackers, he wrote.

By exploiting the issue, attackers “can get finish regulate of the machine or digital machine” that is jogging the equipment, according to the report.

“This can allow attackers to install malware to intercept authentication substance from licensed end users, or get to back into the networks safeguarded by these equipment for further more attack,” Baines wrote.

This 7 days, Baines exposed that the dilemma in the system lies in its web server, which is “a a little bit modified model of the Apache httpd server,” he defined in the report, shared with Threatpost forward of publication.

One particular of the notable modifications is in the mod_cgi module (/lib/mod_cgi.so) and, precisely, a customized variation of the cgi_make_command perform that appends all the natural environment variables on to a single stack-primarily based buffer using strcat, Baines wrote.

“There is no bounds examining on this setting string buildup, so if a malicious attacker were to produce an overly extensive Question_STRING then they can overflow the stack-based buffer,” he explained. This outcomes in a crash that compromises the system, Baines wrote.

“Technically, the … crash is owing to an invalid read through, but you can see the stack has been
effectively overwritten,” he wrote. “A practical exploit need to be capable to return to an attacker’s wished-for deal with.”

Considering that edge-based NAC devices “are specifically appealing targets for attackers,” Baines reported it is important that firms with networks that use SonicWall’s SMA 100 series equipment in regardless of what kind implement SonicWall’s update as speedily as doable to fix the issues, Baines mentioned.

Documented & Fastened: Patch Now

The other flaws uncovered by Barnes ended up rated with CVSS severity in the assortment of 6.5 to 7.5. They include things like an “improper neutralization of special features made use of in an OS command,” or OS command injection flaw with a ranking of 7.2 (CVE-2021-20039) a relative route traversal vulnerability with a ranking of 6.5 (CVE-2021-20040) a loop with unreachable exit condition, or infinite loop flaw with a ranking of 7.5 (CVE-2021-20041) and an unintended proxy or middleman also acknowledged as a “confused deputy” vulnerability with a score of 6.5 (CVE-2021-20042).

In his analysis, Baines analyzed the SMA 500v firmware variations 9…11-31sv and 10.2.1.1-19sv discovering that CVE-2021-20038 and CVE-2021-20040 affect only equipment functioning version 10.2.x, though the remaining issues influence both firmware variations.

Baines reported the flaws to SonicWall and labored with the vendor to remediate the vulnerabilities in excess of a period of time of about two months. On Dec. 7, SonicWall unveiled a security advisory and updates repairing the issues Baines experienced determined.

His report details each and every flaw and its impression and was printed according to Quick7’s vulnerability disclosure policy.

Password Reset: On-Desire Celebration: Fortify 2022 with a password-security method constructed for today’s threats. This Threatpost Security Roundtable, built for infosec industry experts, facilities on business credential management, the new password basic principles and mitigating put up-credential breaches. Be a part of Darren James, with Specops Computer software and Roger Grimes, protection evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this Totally free session today – sponsored by Specops Application.