Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Stored XSS
Vendor: SonicWall Vendor URL: https://www.sonicwall.com/ Versions affected: 10.2.0.8-37sv, 10.2.1.1-19sv Systems Affected: SMA 100 Series (SMA 200, 210, 400, 410, 500v) Author: Richard Warren <richard.warren[at]nccgroup[dot]trust> Risk: CVSS 8.2 (High)
SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv and below suffer from a Stored Cross-Site Scripting (XSS) vulnerability within the management interface. This vulnerability arises due to lack of sufficient output encoding when displaying postscript file names within the management interface.
Due to CVE-2021-20040, this issue can be exploited by a remote, unauthenticated attacker.
An attacker with access to an administrative session could later exploit CVE-2021-20044 to achieve Remote Code Execution.
SonicWall SMA SSL VPN suffers from stored XSS vulnerability within the admin panel. Normally this would result in a not very exploitable self-XSS, however due to CVE-2021-20040 and CVE-2021- 20044 this could be chained to achieve RCE from an unauthenticated perspective.
The admin application displays a list of “postscripts” which can be configured to execute on a user’s endpoint whenever they connect to the VPN. These are displayed on the
/cgi- bin/extensionsetting page:
Any files contained within the
/etc/EasyAccess/var/conf/postscripts/directory will be listed here.
The usual process to configure a postscript is to upload it via the admin application, at which point it will be available in the list of postscript files and displayed on this page.
When displaying file names on the
extensionsetting page, no output filtering is carried out. This means that if a file containing an XSS string is written to the postscripts folder, it will result in Stored-XSS being triggered whenever a logged-in admin user visits the page.
In addition, CVE-2021-20040 allows an unauthenticated attacker to write files with semi-controlled file names to arbitrary locations on disk. By using a directory traversal attack to write a file containing an XSS string to the
/etc/EasyAccess/var/conf/postscripts/ directory, an unauthenticated attacker can store an XSS payload in the admin interface. This payload will be triggered whenever a logged-in admin visits the
Unauthenticated request sample (exploiting CVE-2021-20040) to store the XSS payload:
Example XSS payload triggered when visiting the
The following video shows how these vulnerabilities can be chained to reset the administrator password and execute arbitrary commands as
Upgrade to SMA version 10.2.0.9-41sv, 10.2.1.3-27sv or above.
2021-10-29 - Vulnerability reported to SonicWall PSIRT. 2021-11-02 - Reply from SonicWall PSIRT stating that the vulnerability has been "rejected" as a duplicate/known issue. 2021-11-06 - SonicWall confirm they have addressed the other reported issues and shared a draft KB article, which omits details of arbitrary file-deletion and XSS issues. NCC Group requests clarification around this - providing evidence of successful exploitation on latest firmware versions (10.2.0.8-37v and 10.2.1.2-24sv). 2021-11-06 - SonicWall PSIRT respond stating that these issues were rejected, referencing the original triage response. 2021-12-07 - Patch released and SonicWall publish KB article. 2021-12-07 - NCC Group request further clarification on missing vulnerabilities. 2021-12-08 - NCC Group confirms that the arbitrary file-deletion vulnerability was fixed on firmware versions 10.2.0.9-41sv and 10.2.1.3-27sv. 2021-12-08 - SonicWall PSIRT responds stating that the issue was found by internal review prior to NCC Group's report, and for this reason was omitted from the advisory notes. 2021-12-09 - NCC Group advisory released.
Jennifer Fernick and Aaron Haymore from NCC Group for their assistance with disclosure.
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published Date: 2021-12-09
Written By: Richard Warren