Rapid7 has offered up more details on a SonicWall critical flaw that allows for unauthenticated remote code execution (RCE) on affected devices, noting that it arises from tweaks that the vendor made to the Apache httpd server.
The bug (CVE-2021-20038) is one of five vulnerabilities discovered in its series of popular network access control (NAC) system products.
In October, Rapid7 lead security researcher Jake Baines discovered the flaws in Sonic Wall’s Secure Mobile Access (SMA) 100 series of devices, which includes SMA 200, 210, 400, 410 and 500v, he wrote in a report published Tuesday.
Sonic Wall’s SMA 100 line provides end-to-end secure remote access to corporate resources, whether they are hosted on-premise, in the cloud or in hybrid data centers. The suite also offers policy-enforced access control for corporate users to applications after establishing user and device identity and trust.
CVE-2021-20038 is the most critical of the flaws, with a rating of 9.8 on the Common Vulnerability Scoring System (CVSS). It’s a stack buffer overflow vulnerability that an attacker can exploit to gain complete control of a device or virtual machine that’s running SonicWall’s NAC solution.
The flaw allows attackers to overwrite several security-critical data on an execution stack that can lead to arbitrary code execution, according to its advisory listing on the Common Weakness Enumeration website.
“The most prominent is the stored return address, the memory address at which execution should continue once the current function is finished executing,” according to the advisory. “The attacker can overwrite this value with some memory address to which the attacker also has write access, into which they place arbitrary code to be run with the full privileges of the vulnerable program.”
Exploiting the Critical Vulnerability
The stack-based buffer overflow flaw discovered by Baines affects SonicWall SMA 100 series version: 10.2.1.1-19sv and is by far is the most dangerous for affected devices, and thus the most advantageous for attackers, he wrote.
By exploiting the issue, attackers “can get complete control of the device or virtual machine” that’s running the appliance, according to the report.
“This can allow attackers to install malware to intercept authentication material from authorized users, or reach back into the networks protected by these devices for further attack,” Baines wrote.
This week, Baines revealed that the problem in the device lies in its web server, which is “a slightly modified version of the Apache httpd server,” he explained in the report, shared with Threatpost ahead of publication.
One of the notable modifications is in the mod_cgi module (/lib/mod_cgi.so) and, specifically, a custom version of the cgi_build_command function that appends all the environment variables onto a single stack-based buffer using strcat, Baines wrote.
“There is no bounds checking on this environment string buildup, so if a malicious attacker were to generate an overly long QUERY_STRING then they can overflow the stack-based buffer,” he explained. This results in a crash that compromises the device, Baines wrote.
“Technically, the … crash is due to an invalid read, but you can see the stack has been
successfully overwritten,” he wrote. “A functional exploit should be able to return to an attacker’s desired address.”
Since edge-based NAC devices “are especially attractive targets for attackers,” Baines said it’s essential that companies with networks that use SonicWall’s SMA 100 series devices in whatever form apply SonicWall’s update as quickly as possible to fix the issues, Baines said.
Reported & Fixed: Patch Now
The other flaws discovered by Barnes were rated with CVSS severity in the range of 6.5 to 7.5. They include an “improper neutralization of special elements used in an OS command,” or OS command injection flaw with a rating of 7.2 (CVE-2021-20039); a relative path traversal vulnerability with a rating of 6.5 (CVE-2021-20040); a loop with unreachable exit condition, or infinite loop flaw with a rating of 7.5 (CVE-2021-20041); and an unintended proxy or intermediary also known as a “confused deputy” vulnerability with a rating of 6.5 (CVE-2021-20042).
In his research, Baines tested the SMA 500v firmware versions 18.104.22.168-31sv and 10.2.1.1-19sv finding that CVE-2021-20038 and CVE-2021-20040 affect only devices running version 10.2.x, while the remaining issues affect both firmware versions.
Baines reported the flaws to SonicWall and worked with the vendor to remediate the vulnerabilities over a period of about two months. On Dec. 7, SonicWall released a security advisory and updates fixing the problems Baines had identified.
His report details each flaw and its impact and was published according to Rapid7’s vulnerability disclosure policy.
Password Reset: On-Demand Event: Fortify 2022 with a password-security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & stream this FREE session today – sponsored by Specops Software.