WARNING: MULTIPLE HIGH AND MEDIUM BUFFER OVERFLOW AND CODE EXECUTION VULNERABILITIES IN SONICWALL SMA100 SSLVPN, PATCH IMMEDIATELY!

Reference:
Advisory #2024-285

Version:
1.0

Affected software:
SonicWall SMA100 SSLVPN firmware version 10.2.1.13-72sv and earlier

Type:
Heap and Stack based Buffer Overflow + multiple types

CVE/CVSS:
CVE-2024-40763: CVSS 7.5/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2024-45318: CVSS 8.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2024-45319: CVSS 6.3/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CVE-2024-53702: CVSS 5.3/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2024-53703: CVSS 8.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Sources

SonicWall - https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018

Risks

SonicWall SMA100 SSLVPN is a secure remote access solution which is used to grand secure access to employees, contractors and other users to an organisation’s internal resources from any location. The SSL VPN technology is used to provide encryption to the communication and internet connection. It includes secure access to applications, files, systems and provides authentication, endpoint control, and policy enforcement.

CVE-2024-40763 is rated with a 7.5, resulting in high severity. CVE-2024-45318 has a score of 8.1, which gives it high severity. CVE-2024-45319 is rated with a 6.3, resulting in medium severity. CVE-2024-53702 has a score of 5.3, which gives it medium severity. CVE-2024-53703 has a score of 8.1, which gives it high severity.

Successful exploitation any vulnerability, has a high impact on the complete CIA triad.

Specifically, CVE-2024-40763 is caused by the usage of strcpy. It is a heap-based buffer overflow vulnerability.

Description

CVE-2024-40763: A remote authenticated attacker can cause Heap-based buffer overflow and potentially lead to code execution.

CVE-2024-45318: A remote attacker using the web management interface to cause Stack-based buffer overflow and potentially lead to code execution.

CVE-2024-45319: A remote authenticated attacker can circumvent the certificate requirement during authentication.

CVE-2024-53702: An attacker in the SonicWall SMA100 SSLVPN backup code generator can use the Cryptographically Weak Pseudo-Random Number Generator (PRNG) which in certain cases, can be predicted by the attacker, potentially exposing the generated secret.

CVE-2024-53703: An attacker can cause Stack-based buffer overflow and potentially lead to code execution by exploiting this vulnerability in the mod_httprp library loaded by the Apache web server.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Update to version 10.2.1.14-75sv and higher versions to secure your systems.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

Vulners - https://vulners.com/cve/CVE-2024-40763

CVE details - https://www.cvedetails.com/cve/CVE-2024-45318/

NIST

• https://nvd.nist.gov/vuln/detail/CVE-2024-45319
• https://nvd.nist.gov/vuln/detail/CVE-2024-53702
• https://nvd.nist.gov/vuln/detail/CVE-2024-53703