Critical Vulnerability Updates in SonicWall (CVE-2023-44221, CVE-2024-38475)
Executive Summary
On May 1st, watchTowr Labs published an article detailing new information on two previously reported critical vulnerabilities in SonicWall SMA: CVE-2024-38475 and CVE-2023-44221. These vulnerabilities are an arbitrary file read and a command injection, and successful combined exploitation of them would grant a threat actor remote code execution (RCE) on a target device. Both vulnerabilities were added to the CISA KEV on the same day, and Beazley Security is aware of active “In the Wild” exploitation of these vulnerabilities.
SonicWall SMA (Secure Mobile Access) is a network access gateway appliance for mobile device access. It is typically deployed as an edge device, and successful compromise by a threat actor would provide them initial access into an organization’s network. These vulnerabilities were previously identified and addressed by SonicWall in SNWLID-2024-0018 and SNWLID-2023-0018, but the new information provided by watchTowr and CISA have prompted SonicWall to update both advisories to indicate the increased risk and severity.
Software security patches have already been provided by SonicWall, and watchTowr provided enough detailed technical analysis for proficient readers to develop their own weaponized exploits. As a result, Beazley Security expects increased scanning and exploit attempts from less sophisticated threat actors (in addition to the current in the wild exploitation). Affected organizations should apply updates immediately.
Affected Systems or Products
Mitigations / Workarounds
There are unfortunately no mitigations available for these vulnerabilities. However, Sonicwall has provided stable patches for both vulnerabilities through normal update channels.
Patches
SonicWall SMA 10.2.1.14-75sv and later versions address both issues. Instructions for updating device firmware has been provided by the vendor here.
Technical Details
As previously mentioned, the watchTowr article describes how two vulnerabilities can be used in combination to achieve RCE. WatchTowr has done an excellent job describing the technical details regarding these and their article deserves a read through. We will provide a condensed version of their findings here.
CVE-2024-38475
This vulnerability is in the Apache HTTP Server component used in SonicOS devices. It was reported by a researcher named Orange Tsai who published their findings on this and other related Apache vulnerabilities in an excellent blog post found here.
The components and details of this vulnerability are somewhat complex, especially in the context of how it can be used to attack SonicWall devices. We will attempt to describe it by reviewing the attack example provided by watchTowr.
First for context, Apache has a component called mod_rewrite that will, among many other things, take requested URLs and translate them into other objects for further processing. It does this via administrator defined rules, and the rule present on SonicWall devices that presents the bug is:
RewriteRule ^/(.+)\\.[0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+[A-Za-z0-9]*-[0-9]+.*\\.css$/$1.css
Although it appears complex and convoluted, essentially Apache will interpret the “.1.1.1.1a-1.css” segment of the attack URL (denoted in green in Figure 1), convert it into a file path, and attempt to access that file.
This is where the first major component of the bug comes into play. For security reasons, when Apache retrieves files to serve webpage content, it is constrained by a configuration setting called “DocumentRoot”. On SonicWall appliances, “DocumentRoot” is the following path: “/usr/src/EasyAccess/www/htdocs”. Orange Tsai found that if the translated URL string appears at the beginning of the rewritten file path, mod_rewritesearches for two file paths.
In this particular case, because the SonicWall RewriteRule translates the URL to /$1.css, instead of only searching for:
/usr/src/EasyAccess/www/htdocs/tmp/temp.db%3f.1.1.1.1a-1.css
It will also try to search for:
/tmp/temp.db%3f.1.1.1.1a-1.css
Unfortunately, Apache mod_rewrite will attempt to retrieve the latter file first. This is where the second major component of the vulnerability emerges. URLs and Unix file paths have different string encoding rules, and the issue arises because Apache applies URL encoding logic to this resulting file path. This means that in the proof-of-concept in Figure 1, the string in red “%3f” will be translated to “?”, which in a URL is intended to denote that any additional data should be treated as program parameters. Thus, the green section of the URL / file path will be truncated, and Apache will search for and serve the contents of the following file path:
/tmp/temp.db
In this exploitation scenario, this enables an attack to retrieve the session database from the SonicWall SMA appliance. Given the database stores session information, this enables threat actors to hijack a session and login as a legitimate user.
CVE-2023-44221
The second vulnerability is a conventional command injection flaw. WatchTowr seems to have conducted patch analysis and determined that security checks had been implemented in system code that invokes network diagnostic tools.
SonicWall appliances have POST API endpoints that will execute system binaries to perform system and network diagnostic functions, and the vulnerable endpoints allow arbitrary parameters to be passed. The code for traceroute6 lacked proper string length validations for its parameters, exposing the calls to potential buffer overflow vulnerabilities. Additionally, the buffers that store the unchecked parameters are allocated next to each other, which simplifies the exploitation process for an attacker by avoiding the common memory corruption complications associated with attempts to exploit buffer overflows.
A proof-of-concept exploit for this vulnerability is provided below:
POST /spog/diagnostics HTTP/1.1
Host: host
Cookie: swap="aaaaaaaa="; swcctn=bbbbbbbbbb
User-Agent: Mozilla/5.0
X-Csrf-Token: bbbbbbbbbb
Priority: u=0
Te: trailers
Connection: keep-alive
tool=TRACEROUTE6_CMD&target=";<payload>; <140 “’s>"
The diagnostics API endpoint requires that a user be authenticated to the device as an administrator. In the sequence of actions demonstrated by the watchTowr researchers, CVE-2024-38475 is first utilized to hijack an existing administrative session. Subsequently, CVE-2023-44221 is employed to exploit the device further, leading to Remote Code Execution.
How Beazley Security is Responding
Beazley Security is monitoring client perimeter devices through our Karma product to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
Sources
Aware of an incident impacting your industry? Let us know: