Technical Advisory – SonicWall SMA 100 Series – Unauthenticated File Upload Path Traversal (CVE-2021-20040)

Vendor: SonicWall
Vendor URL: https://www.sonicwall.com/
Versions affected: 10.2.0.8-37sv, 10.2.1.1-19sv
Systems Affected: SMA 100 Series (SMA 200, 210, 400, 410, 500v)
Author: Richard Warren <richard.warren[at]nccgroup[dot]trust>
Advisory URL: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026
CVE Identifier: CVE-2021-20040
Risk: CVSS 6.5 (Medium)

Summary

SonicWall SMA 100-series appliances running versions 10.2.0.8-37sv, 10.2.1.1-19sv and earlier, suffer from an unauthenticated file upload vulnerability. This could allow an unauthenticated remote attacker to use path traversal to upload files outside of the intended directory.

Impact

An unauthenticated attacker may be able to write files with controlled content to arbitrary locations on disk, with the privileges of the nobody user. Whilst the filename is not fully controlled, the target directory and partial file name are controlled. This could allow the attacker to write content to the web directory, or to certain configuration directories.

This vulnerability can be chained with additional vulnerabilities, such as Stored XSS, to compromise the management interface.

Recommendation

Upgrade to SMA version 10.2.0.9-41sv, 10.2.1.3-27sv or above.

Vendor Communication

2021-10-29 - Vulnerability reported to SonicWall PSIRT.
2021-11-02 - Acknowledgement from SonicWall PSIRT.
2021-12-01 - SonicWall request that NCC Group withhold technical details until 2022-01-11, releasing high-level advisories on 2021-12-09.
2021-12-03 - NCC Group agrees to suggested disclosure timeline.
2021-12-07 - Patch released and SonicWall publish KB article and security advisory.
2021-12-09 - NCC Group advisory released.

Thanks to

Jennifer Fernick and Aaron Haymore from NCC Group for their assistance with disclosure.

Credit to Jake Baines from Rapid7 for also discovering this vulnerability.

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published Date: 2021-12-09

Written By: Richard Warren

Published December 9, 2021