{"uuid": "ff9a96b8-41b6-43fe-b430-913aad09c4c7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "name": "SonicWall SMA100 SSL-VPN Affected By Multiple Vulnerabilities", "description": "# Security Advisory\n\n\n\n# SonicWall SMA100 SSL-VPN Affected By Multiple Vulnerabilities\n\n9.8\n\nOverview\n\n
Advisory IDSNWLID-2024-0018
First Published2024-12-03
Last Updated2025-04-29
Workaroundfalse
StatusApplicable
CVECVE-2024-38475, CVE-2024-40763, CVE-2024-45318, CVE-2024-45319, CVE-2024-53702, CVE-2024-53703
CWECWE-35, CWE-121, CWE-122, CWE-798, CWE-338
CVSS v39.8
CVSS VectorCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Direct Link
\n\nSummary\n\n1. Path traversal vulnerability \u2013 attributed to publicly known Apache HTTP Server vulnerability (CVE-2024-38475)\n\nImproper escaping of output in mod\\_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to file system locations that are permitted to be served by the server.\n\nCVSS Score: 9.8\u00a0 \nCVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H \nCWE-35: Path traversal vulnerability\n\n2. CVE-2024-40763 - SonicWALL SMA100 Heap-based buffer overflow vulnerability\n\nHeap-based buffer overflow vulnerability in the SonicWall SMA100 SSLVPN due to the use of strcpy. This allows remote authenticated attackers to cause Heap-based buffer overflow and potentially lead to code execution.\n\nCVSS Score: 7.5 \nCVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H \nCWE-122: Heap-based Buffer Overflow\n\n3. CVE-2024-45318 - Stack-based buffer overflow vulnerability\n\nA vulnerability in the SonicWall SMA100 SSLVPN web management interface allows remote attackers to cause Stack-based buffer overflow and potentially lead to code execution.\n\nCVSS Score: 8.1 \nCVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H \nCWE-121: Stack-based Buffer Overflow\n\n4. CVE-2024-45319 - Certificate-based authentication bypass\n\nA vulnerability in the SonicWall SMA100 SSLVPN allows a remote authenticated attacker can circumvent the certificate requirement during authentication.\n\nCVSS Score: 6.3 \nCVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L \nCWE-798: Use of Hard-coded Credentials\n\n5. CVE-2024-53702 - Insecure randomness\n\nUse of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in the SonicWall SMA100 SSLVPN backup code generator that, in certain cases, can be predicted by an attacker, potentially exposing the generated secret.\n\nCVSS Score: 5.3 \nCVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N \nCWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)\n\n6. CVE-2024-53703 - Stack-based buffer overflow vulnerability\n\nA vulnerability in the SonicWall SMA100 SSLVPN mod\\_httprp library loaded by the Apache web server allows remote attackers to cause Stack-based buffer overflow and potentially lead to code execution.\n\nCVSS Score: 8.1 \nCVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H \nCWE-121: Stack-based Buffer Overflow\n\nSonicWall SSL VPN SMA1000 series products are not affected by these vulnerabilities.\n\nSonicWall strongly advises users of the SMA 100 series products (SMA 200, 210, 400, 410, and 500v) to upgrade to the mentioned fixed release version to address these vulnerabilities.\n\nAffected Product(s)\n\n

Affected Product(s)

Affected Versions

SMA 100 Series
(SMA 200, 210, 400, 410, 500v)

10.2.1.13-72sv and earlier versions.

\n\n_SonicWall SSL VPN SMA1000 series products are not affected by these vulnerabilities._\n\nCPE(s)\n\nWorkaround\n\nNone\n\nFixed Software\n\n

Fixed Product(s)

Fixed Versions

SMA 100 Series
(SMA 200, 210, 400, 410, 500v)

10.2.1.14-75sv and higher versions.

\n\nComments\n\nDuring further analysis, SonicWall and trusted security partners identified an additional exploitation technique using CVE-2024-38475, through which unauthorized access to certain files could enable session hijacking. SMA100 devices updated with the fixed firmware version 10.2.1.14-75sv are not vulnerable to CVE-2024-38475 or the related session hijacking technique described.\n\n**Note: This is potentially being exploited in the wild.**\n\n**SonicWall PSIRT recommends that customers review their SMA devices to ensure no unauthorized logins.**\n\nCredit(s)\n\nAlain Mowat of Orange Cyberdefense, Switzerland.\n\nRevision History\n\n* Version\n \n* 1.0\n \n* Date\n \n* 04-Dec-2024\n \n* Description\n \n* Initial Release.\n \n\n\\---------------------------------------\n\n* Version\n \n* 1.1\n \n* Date\n \n* 05-Dec-2024\n \n* Description\n \n* Updated credit(s) section - Included vulnerability researcher name.\n \n\n\\---------------------------------------\n\n* Version\n \n* 1.2\n \n* Date\n \n* 29-Apr-2025\n \n* Description\n \n* Comment added - During further analysis, SonicWall and trusted security partners identified an additional exploitation technique using CVE-2024-38475, through which unauthorized access to certain files could enable session hijacking. SMA100 devices updated with the fixed firmware version 10.2.1.14-75sv are not vulnerable to CVE-2024-38475 or the related session hijacking technique described\n \n\n# Reference(s)\n\nSource [https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018](https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018)", "creation_timestamp": "2025-05-05T07:56:53.581572+00:00", "timestamp": "2025-05-05T07:56:53.581572+00:00", "related_vulnerabilities": ["CVE-2024-40763", "CVE-2024-45318", "CVE-2024-38475", "CVE-2024-45319", "CVE-2024-53702", "CVE-2024-53703"], "author": {"login": "adulau", "name": "Alexandre Dulaunoy", "uuid": "c933734a-9be8-4142-889e-26e95c752803"}}