Vendor: SonicWall Vendor URL: https://www.sonicwall.com/ Versions affected: 10.2.0.8-37sv, 10.2.1.1-19sv Systems Affected: SMA 100 Series (SMA 200, 210, 400, 410, 500v) Author: Richard Warren <richard.warren[at]nccgroup[dot]trust> Advisory URL: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026 CVE Identifier: CVE-2021-20040 Risk: CVSS 6.5 (Medium)
SonicWall SMA 100-series appliances running versions 10.2.0.8-37sv, 10.2.1.1-19sv and earlier, suffer from an unauthenticated file upload vulnerability. This could allow an unauthenticated remote attacker to use path traversal to upload files outside of the intended directory.
An unauthenticated attacker may be able to write files with controlled content to arbitrary locations on disk, with the privileges of the
nobody user. Whilst the filename is not fully controlled, the target directory and partial file name are controlled. This could allow the attacker to write content to the web directory, or to certain configuration directories.
This vulnerability can be chained with additional vulnerabilities, such as Stored XSS, to compromise the management interface.
The sonicfiles Python API exposes a method called
RAC_POST_FILE_LIST (RacNumber 43). The sonicfiles API can be reached by unauthenticated users, via the
The following screenshot from the
httpd.conf file shows that the
/usr/src/EasyAccess/www/python/sonicfiles/fileshare.py WSGI script is aliased via the
RAC_POST_FILE_LIST API method was found to be vulnerable to directory traversal via the
swcctn parameter. The
swcctn parameter is used without sanitisation in a call to python’s
write file APIs, resulting in the ability to write a file with controlled contents to a semi-controlled path on the underlying filesystem. Note that the file-write is semi-controlled is because, whilst the directory path and filename are controlled, the file extension will always be suffixed with a timestamp.
RAC_POST_FILE_LIST method has RacNumber 43 and maps to the
The following screenshot shows that
RAC_POST_FILE_LIST maps to the
post_file_list function takes the data supplied in the POST request and assigns it into the
The stream is then read (up to Content-Length bytes) into the
The data supplied within the POST request is parsed as a JSON object. The
swcctn GET parameter is then assigned to the
swcctn variable. This variable is used to construct a file-path stored in
list_file_path. No path canonicalisation or traversal checks are carried out; however, a timestamp is appended to the file-path. This path is then passed directly to the open function, and the user-supplied content is written to the resulting file. Note that the code expects a list of lines to write to the file.
This vulnerability allows an attacker to write controlled content to a semi-controlled file-path. Whilst the file extension cannot be controlled (due to the timestamp being appended), the attacker can write files to arbitrary folders, with a partly controlled file name. Also note that the file is written under the permissions of the
Various directories under
/usr/EasyAccess/ can be written to by the
nobody user. Note that this includes web hosting directories. An attacker could therefore write files into these directories, allowing them to potentially spoof content or host malicious files.
Example unauthenticated POST request:
This results in the file being written to the target directory by the
This issue can be chained together with a Stored XSS issue in the admin panel by writing a file to the
/etc/EasyAccess/var/conf/postscripts/ directory, containing an XSS payload.
Upgrade to SMA version 10.2.0.9-41sv, 10.2.1.3-27sv or above.
2021-10-29 - Vulnerability reported to SonicWall PSIRT. 2021-11-02 - Acknowledgement from SonicWall PSIRT. 2021-12-01 - SonicWall request that NCC Group withhold technical details until 2022-01-11, releasing high-level advisories on 2021-12-09. 2021-12-03 - NCC Group agrees to suggested disclosure timeline. 2021-12-07 - Patch released and SonicWall publish KB article and security advisory. 2021-12-09 - NCC Group advisory released.
Jennifer Fernick and Aaron Haymore from NCC Group for their assistance with disclosure.
Credit to Jake Baines from Rapid7 for also discovering this vulnerability.
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published Date: 2021-12-09
Written By: Richard Warren