Vendor: SonicWall Vendor URL: https://www.sonicwall.com/ Versions affected: 10.2.0.8-37sv, 10.2.1.1-19sv Systems Affected: SMA 100 Series (SMA 200, 210, 400, 410, 500v) Author: Richard Warren <richard.warren[at]nccgroup[dot]trust> Advisory URL: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026 CVE Identifier: CVE-2021-20044 Risk: CVSS 7.2 (High)
SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv suffer from a post-authenticated command injection vulnerability, which can be exploited to execute arbitrary commands with
The vulnerability exists in the Python management API, which is exposed remotely via HTTP, and is accessible to authenticated administrative users. When restoring system settings, an attacker can inject arbitrary commands via various means, resulting in code execution as
An attacker could chain other issues patched in this update, such as Arbitrary File Deletion or Stored XSS, to achieve Remote Code Execution from an unauthenticated perspective.
An attacker that successfully exploits this issue will be able to execute code on the underlying Operating System with the privileges of the
The SonicWall SMA appliance exposes several Python-based APIs via its web-interface. The Flask server listens on
127.0.0.1:12345 and requests to the
/__api__/v1/ URL prefix are reverse proxied by
httpd to the Flask server, where requests are dispatched to the various applications. These applications include:
management application, which is exposed at
/__api__/v1/management/ allows authenticated administrative users to carry out various management and configuration tasks.
/__api__/v1/management/systemsettings/file URL path maps to the
SettingFileResource class, which allows backup and restore of configuration settings and associated files (e.g., SSL certificates).
Settings files are supplied by the user within a zip file, given in the
upfile POST parameter, as shown in the following screenshot. Note that the
QUIETLY parameters are not user controllable.
After the ZIP file is saved to the temporary directory, various methods are called to import the different files contained within the configuration archive.
A number of these methods could be abused to achieve code execution. The most obvious of these is in the
importSchedTSRGenConf method, which would allow an attacker to restore a malicious
fcrontab.config file containing a malicious command.
A command injection vulnerability was also identified in the
importCertificates method, which is responsible for importing SSL certificates:
As can be seen above, the
active-cert-info file (user-supplied) is read and the contents used directly in a call to
os.system. If an attacker supplies a malicious configuration zip file containing a malicious
active-cert-info file, command injection would be achieved, and any supplied command would be executed as
The following screenshot shows the vulnerability being exploited to achieve Remote Code Execution as the
Upgrade to SMA version 10.2.0.9-41sv, 10.2.1.3-27sv or above.
2021-10-29 - Vulnerability reported to SonicWall PSIRT. 2021-11-02 - Acknowledgement from SonicWall PSIRT. 2021-12-01 - SonicWall request that NCC Group withhold technical details until 2022-01-11, releasing high-level advisories on 2021-12-09. 2021-12-03 - NCC Group agrees to suggested disclosure timeline. 2021-12-07 - Patch released and SonicWall publish KB article and security advisory. 2021-12-09 - NCC Group advisory released.
Jennifer Fernick and Aaron Haymore from NCC Group for their assistance with disclosure.
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published Date: 2021-12-09
Written By: Richard Warren