Technical Advisory – SonicWall SMA 100 Series – Post-Authentication Remote Command Execution (CVE-2021-20044)

Vendor: SonicWall
Vendor URL: https://www.sonicwall.com/
Versions affected: 10.2.0.8-37sv, 10.2.1.1-19sv
Systems Affected: SMA 100 Series (SMA 200, 210, 400, 410, 500v)
Author: Richard Warren <richard.warren[at]nccgroup[dot]trust>
Advisory URL: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026
CVE Identifier: CVE-2021-20044
Risk: CVSS 7.2 (High)

Summary

SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv suffer from a post-authenticated command injection vulnerability, which can be exploited to execute arbitrary commands with root privileges.

The vulnerability exists in the Python management API, which is exposed remotely via HTTP, and is accessible to authenticated administrative users. When restoring system settings, an attacker can inject arbitrary commands via various means, resulting in code execution as root.

An attacker could chain other issues patched in this update, such as Arbitrary File Deletion or Stored XSS, to achieve Remote Code Execution from an unauthenticated perspective.

Impact

An attacker that successfully exploits this issue will be able to execute code on the underlying Operating System with the privileges of the root user.

Details

The SonicWall SMA appliance exposes several Python-based APIs via its web-interface. The Flask server listens on 127.0.0.1:12345 and requests to the /__api__/v1/ URL prefix are reverse proxied by httpd to the Flask server, where requests are dispatched to the various applications. These applications include:

  • /management
  • /report
  • /cloud
  • /client

The management application, which is exposed at /__api__/v1/management/ allows authenticated administrative users to carry out various management and configuration tasks.

The /__api__/v1/management/systemsettings/file URL path maps to the SettingFileResource class, which allows backup and restore of configuration settings and associated files (e.g., SSL certificates).

Settings files are supplied by the user within a zip file, given in the upfile POST parameter, as shown in the following screenshot. Note that the TMP_SETTING_FILE, TMP_STORE_DIR and QUIETLY parameters are not user controllable.

After the ZIP file is saved to the temporary directory, various methods are called to import the different files contained within the configuration archive.

A number of these methods could be abused to achieve code execution. The most obvious of these is in the importSchedTSRGenConf method, which would allow an attacker to restore a malicious fcrontab.config file containing a malicious command.

A command injection vulnerability was also identified in the importCertificates method, which is responsible for importing SSL certificates:

As can be seen above, the active-cert-info file (user-supplied) is read and the contents used directly in a call to os.system. If an attacker supplies a malicious configuration zip file containing a malicious active-cert-info file, command injection would be achieved, and any supplied command would be executed as root.

The following screenshot shows the vulnerability being exploited to achieve Remote Code Execution as the root user:

Recommendation

Upgrade to SMA version 10.2.0.9-41sv, 10.2.1.3-27sv or above.

Vendor Communication

2021-10-29 - Vulnerability reported to SonicWall PSIRT.
2021-11-02 - Acknowledgement from SonicWall PSIRT.
2021-12-01 - SonicWall request that NCC Group withhold technical details until 2022-01-11, releasing high-level advisories on 2021-12-09.
2021-12-03 - NCC Group agrees to suggested disclosure timeline.
2021-12-07 - Patch released and SonicWall publish KB article and security advisory.
2021-12-09 - NCC Group advisory released.

Thanks to

Jennifer Fernick and Aaron Haymore from NCC Group for their assistance with disclosure.

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published Date: 2021-12-09

Written By: Richard Warren