SonicWall SMA100 SSL-VPN Affected By Multiple Vulnerabilities

Created on 2025-05-05 07:56, updated on 2025-05-05 07:56, by Alexandre Dulaunoy
JSON
Description

Security Advisory

SonicWall SMA100 SSL-VPN Affected By Multiple Vulnerabilities

9.8

Overview

Advisory IDSNWLID-2024-0018
First Published2024-12-03
Last Updated2025-04-29
Workaroundfalse
StatusApplicable
CVECVE-2024-38475, CVE-2024-40763, CVE-2024-45318, CVE-2024-45319, CVE-2024-53702, CVE-2024-53703
CWECWE-35, CWE-121, CWE-122, CWE-798, CWE-338
CVSS v39.8
CVSS VectorCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Direct Link<span data-v-4029ed70="" class="sw-icon" style="width: 18px; height: 18px; transform: rotate(0deg);"><span data-v-4029ed70="" class="sw-icon__inner sw-font-icon icon-link" style="font-size: 18px;"></span></span>

Summary

  1. Path traversal vulnerability – attributed to publicly known Apache HTTP Server vulnerability (CVE-2024-38475)

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to file system locations that are permitted to be served by the server.

CVSS Score: 9.8 
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-35: Path traversal vulnerability

  1. CVE-2024-40763 - SonicWALL SMA100 Heap-based buffer overflow vulnerability

Heap-based buffer overflow vulnerability in the SonicWall SMA100 SSLVPN due to the use of strcpy. This allows remote authenticated attackers to cause Heap-based buffer overflow and potentially lead to code execution.

CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE-122: Heap-based Buffer Overflow

  1. CVE-2024-45318 - Stack-based buffer overflow vulnerability

A vulnerability in the SonicWall SMA100 SSLVPN web management interface allows remote attackers to cause Stack-based buffer overflow and potentially lead to code execution.

CVSS Score: 8.1
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-121: Stack-based Buffer Overflow

  1. CVE-2024-45319 - Certificate-based authentication bypass

A vulnerability in the SonicWall SMA100 SSLVPN allows a remote authenticated attacker can circumvent the certificate requirement during authentication.

CVSS Score: 6.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE-798: Use of Hard-coded Credentials

  1. CVE-2024-53702 - Insecure randomness

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in the SonicWall SMA100 SSLVPN backup code generator that, in certain cases, can be predicted by an attacker, potentially exposing the generated secret.

CVSS Score: 5.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  1. CVE-2024-53703 - Stack-based buffer overflow vulnerability

A vulnerability in the SonicWall SMA100 SSLVPN mod_httprp library loaded by the Apache web server allows remote attackers to cause Stack-based buffer overflow and potentially lead to code execution.

CVSS Score: 8.1
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-121: Stack-based Buffer Overflow

SonicWall SSL VPN SMA1000 series products are not affected by these vulnerabilities.

SonicWall strongly advises users of the SMA 100 series products (SMA 200, 210, 400, 410, and 500v) to upgrade to the mentioned fixed release version to address these vulnerabilities.

Affected Product(s)

<span style="font-size:10.0pt;font-family:"Arial",sans-serif; mso-fareast-font-family:"Times New Roman";color:white;border:none windowtext 1.0pt; mso-border-alt:none windowtext 0in;padding:0in;mso-fareast-language:EN-IN">Affected Product(s)</span>

<span style="font-size:10.0pt;font-family:"Arial",sans-serif; mso-fareast-font-family:"Times New Roman";color:white;border:none windowtext 1.0pt; mso-border-alt:none windowtext 0in;padding:0in;mso-fareast-language:EN-IN">Affected Versions</span><span style="font-size:10.0pt;font-family:"Conv_AktivGroteskStdReg",serif; mso-fareast-font-family:"Times New Roman";mso-bidi-font-family:"Times New Roman"; color:#101010;mso-fareast-language:EN-IN"><o:p></o:p></span>

<span style="font-size: 10pt; font-family: Arial, sans-serif; border: 1pt none windowtext; padding: 0in;">SMA 100 Series
</span><span style="font-size: 10pt; font-family: Arial, sans-serif; border: 1pt none windowtext; padding: 0in;">(SMA 200, 210, 400, 410, 500v)</span><span style="font-size:12.0pt;font-family: "Conv_AktivGroteskStdReg",serif;mso-fareast-font-family:"Times New Roman"; mso-bidi-font-family:"Times New Roman";color:#101010;mso-fareast-language: EN-IN"><o:p></o:p></span>

<span style="font-size: 10pt; font-family: Arial, sans-serif;">10.2.1.13-72sv and earlier versions.<o:p></o:p></span>

SonicWall SSL VPN SMA1000 series products are not affected by these vulnerabilities.

CPE(s)

Workaround

None

Fixed Software

<span style="font-size:10.0pt;font-family:"Arial",sans-serif; mso-fareast-font-family:"Times New Roman";color:white;border:none windowtext 1.0pt; mso-border-alt:none windowtext 0in;padding:0in;mso-fareast-language:EN-IN">Fixed Product(s)</span>

<span style="font-size:10.0pt;font-family:"Arial",sans-serif; mso-fareast-font-family:"Times New Roman";color:white;border:none windowtext 1.0pt; mso-border-alt:none windowtext 0in;padding:0in;mso-fareast-language:EN-IN">Fixed Versions</span><span style="font-size:10.0pt;font-family:"Conv_AktivGroteskStdReg",serif; mso-fareast-font-family:"Times New Roman";mso-bidi-font-family:"Times New Roman"; color:#101010;mso-fareast-language:EN-IN"><o:p></o:p></span>

<span style="font-size: 10pt; font-family: Arial, sans-serif; border: 1pt none windowtext; padding: 0in;">SMA 100 Series
</span><span style="font-size: 10pt; font-family: Arial, sans-serif; border: 1pt none windowtext; padding: 0in;">(SMA 200, 210, 400, 410, 500v)</span><span style="font-size:12.0pt;font-family: "Conv_AktivGroteskStdReg",serif;mso-fareast-font-family:"Times New Roman"; mso-bidi-font-family:"Times New Roman";color:#101010;mso-fareast-language: EN-IN"><o:p></o:p></span>

<span style="font-size: 10pt; font-family: Arial, sans-serif;">10.2.1.14-75sv and higher versions.<o:p></o:p></span>

Comments

During further analysis, SonicWall and trusted security partners identified an additional exploitation technique using CVE-2024-38475, through which unauthorized access to certain files could enable session hijacking. SMA100 devices updated with the fixed firmware version 10.2.1.14-75sv are not vulnerable to CVE-2024-38475 or the related session hijacking technique described.

Note: This is potentially being exploited in the wild.

SonicWall PSIRT recommends that customers review their SMA devices to ensure no unauthorized logins.

Credit(s)

Alain Mowat of Orange Cyberdefense, Switzerland.

Revision History

  • Version

  • 1.0

  • Date

  • 04-Dec-2024

  • Description

  • Initial Release.

---------------------------------------

  • Version

  • 1.1

  • Date

  • 05-Dec-2024

  • Description

  • Updated credit(s) section - Included vulnerability researcher name.

---------------------------------------

  • Version

  • 1.2

  • Date

  • 29-Apr-2025

  • Description

  • Comment added - During further analysis, SonicWall and trusted security partners identified an additional exploitation technique using CVE-2024-38475, through which unauthorized access to certain files could enable session hijacking. SMA100 devices updated with the fixed firmware version 10.2.1.14-75sv are not vulnerable to CVE-2024-38475 or the related session hijacking technique described

Reference(s)

Source https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018

Vulnerabilities included in this bundle
Combined detection rules

Detection rules are retrieved from Rulezet.

Combined sightings
Author Vulnerability Source Type Date