Technical Advisory – SonicWall SMA 100 Series – Heap-Based Buffer Overflow (CVE-2021-20043)
Vendor: SonicWall
Vendor URL: https://www.sonicwall.com/
Versions affected: 10.2.0.8-37sv, 10.2.1.1-19sv
Systems Affected: SMA 100 Series (SMA 200, 210, 400, 410, 500v)
Author: Richard Warren <richard.warren[at]nccgroup[dot]trust>
Advisory URL: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026
CVE Identifier: CVE-2021-20043
Risk: CVSS 8.8 (High)Summary
SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv and below suffer from a heap-based buffer overflow vulnerability in the sonicfiles RAC_GET_BOOKMARKS_HTML5 API. This vulnerability arises due to the unchecked use of the strcat function on a fixed size buffer, when displaying user bookmarks. This vulnerability requires authentication as a low privileged user.
Impact
An authenticated low-privileged user could exploit this vulnerability to achieve code execution as the nobody user.
Details
The sonicfiles RAC_GET_BOOKMARKS_HTML5 (RacNumber 35) method allows users list their bookmarks. This method is vulnerable to heap-based buffer-overflow, due to unchecked use of strcat.
The RAC_GET_BOOKMARKS sonicfiles method maps to the Python method get_bookmarks. This simply calls into sonicapp.api.getBookmarks:
getBookmarks is a swig wrapper into libSys.so!getFileShareBookmarks. The following screenshot shows decompilation of the getFileShareBookmarks function:
As shown above, a fixed buffer of size 1280 bytes is allocated. Later, all bookmarks for the current user (specified in the swap ID cookie) are retrieved from the database via a call to bookmarkFindAllByUser.
The following screenshot shows the SQLite query used to retrieve the list of user’s bookmarks in bookmarkFindAllByUser:
The list of bookmarks is then copied (in 128-byte chunks) into the fixed size buffer using strcat:
An attacker could trigger a heap-based buffer overflow by creating 11 bookmarks with a name length of 127 characters, as per the following screenshot:
Once the bookmarks are placed, the attacker could then call the sonicfiles RAC_GET_BOOKMARKS_HTML5 (RacNumber 35) method, to list the bookmarks. This results in a heap-based buffer-overflow in libSys.so!getFileShareBookmarks->strcat
This vulnerability requires a low-privileged user-level session and could result in code execution as the nobody user.
The following POST request shows the creation of a CIFS server bookmark:
Example POST request to trigger the overflow (after creating the 11 bookmarks):
Recommendation
Upgrade to SMA version 10.2.0.9-41sv, 10.2.1.3-27sv or above.
Vendor Communication
2021-10-29 - Vulnerability reported to SonicWall PSIRT.
2021-11-02 - Acknowledgement from SonicWall PSIRT.
2021-12-01 - SonicWall request that NCC Group withhold technical details until 2022-01-11, releasing high-level advisories on 2021-12-09.
2021-12-03 - NCC Group agrees to suggested disclosure timeline.
2021-12-07 - Patch released and SonicWall publish KB article and security advisory.
2021-12-09 - NCC Group advisory released.Thanks to
Jennifer Fernick and Aaron Haymore from NCC Group for their assistance with disclosure.
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published Date: 2021-12-09
Written By: Richard Warren