SonicWall SMA 100 appliances beset by multiple vulnerabilities

SonicWall issued patches to address five vulnerabilities in its Secure Mobile Access 100 network security appliances.

The security vendor said the five flaws, ranging from 6.5 to 9.8 Common Vulnerability Scoring System (CVSS) severity rating, can be addressed via a firmware update for the SMA network defense boxes.

The flaws, which were each discovered and reported by Rapid7 researcher Jake Baines, range from path traversal and unintended proxy bugs to command injection and remote code execution vulnerabilities. Administrators are being advised to update their firmware, as the flaws could potentially affect the SonicWall SMA 100 series and allow for complete takeover of the appliances.

The most serious of the flaws, CVE-2021-20038, is a stack-based buffer overflow error that could allow for a remote attacker to obtain code execution on the network security appliance via a malformed data packet. The flaw was assessed as a 9.8 CVSS vulnerability, a designation generally reserved for the most severe of security issues.

According to Rapid7, the vulnerability is found in the way the appliance handles Apache httpd calls. When the cgi_build_command function is called, the strcat buffer can be overloaded and allow for attackers to load up commands.

"There is no bounds checking on this environment string buildup, so if a malicious attacker were to generate an overly long QUERY_STRING then they can overflow the stack-based buffer," Rapid7 said in an advisory.

In practice, this means an attacker can take control of the SMA 100 hardware and use the compromised appliance to intercept or redirect network traffic.

"This can allow attackers to install malware to intercept authentication material from authorized users, or reach back into the networks protected by these devices for further attack," noted the Rapid7 team. "Edge-based network control devices are especially attractive targets for attackers, so we expect continued interest in these kinds of devices by researchers and criminal attackers alike."

The remaining flaws include CVE-2021-20039, a command injection vulnerability, and CVE-2021-20041, an infinite loop flaw. The bugs were designated CVSS ratings of 7.2 and 7.5 respectively.

CVE-2021-20041 is particularly noteworthy due to its threat model. While denial-of-service attacks aren't generally considered serious threats, when it comes to a network security appliance like the SMA series, a hardware crash can lead to a serious security breach.

Fortunately, Rapid7 said there are some mitigating factors for this flaw.

"A number of additional requests are required to truly deny availability, as this is not a one-shot denial-of-service request," the vendor noted.

The remaining bugs, CVE-2021-20040 and CVE-2021-20042, were relatively minor flaws that involved path traversal and "confused deputy" information disclosure flaws, respectively.

Rpaid7 reported the five vulnerabilities to SonicWall on Oct. 18. The network security vendor published a security advisory on Dec. 7 and released new firmware updates for SMA 100 devices that patched all five bugs.