Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Arbitrary File Deletion

Vendor: SonicWall
Vendor URL: https://www.sonicwall.com/
Versions affected: 10.2.0.8-37sv, 10.2.1.1-19sv
Systems Affected: SMA 100 Series (SMA 200, 210, 400, 410, 500v)
Author: Richard Warren <richard.warren[at]nccgroup[dot]trust>
Risk: CVSS 9.1 (Critical)

Summary

SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv and below suffer from an unauthenticated arbitrary file-delete vulnerability which can be exploited by a remote attacker to delete arbitrary files from the underlying Operating System.

This vulnerability exists in the sonicfiles RAC_DOWNLOAD_TAR method, which allows users to download a tar file from a specified SMB share, and is exposed to unauthenticated users. Before a file is downloaded, unlink is called on the local file-path. By exploiting a directory traversal vulnerability in this method, an attacker can cause unlink to be called on a path of their choosing, resulting in arbitrary file deletion.

Note that because the server runs as the nobody user, only files that are owned by nobody can be deleted.

By deleting the persist.db file, an attacker can corrupt the locally stored user database. Depending on the device, deleting this file will either cause the device to immediately reboot, or for the HTTP server to become unresponsive. In either case, when the device is rebooted, the default password of admin:password will be restored – allowing the attacker to log into the administrative interface with known credentials.

Once access to the administrative interface has been gained, the attacker could exploit CVE-2021-20044 to achieve Remote Code Execution as root.

Impact

A remote unauthenticated attacker could exploit this issue to delete arbitrary files from the underlying Operating System. This may include database and configuration files owned by the nobody user. Depending on which file is deleted this could either result in Denial of Service, or takeover of the device.

Recommendation

Upgrade to SMA version 10.2.0.9-41sv, 10.2.1.3-27sv or above.

Vendor Communication

2021-10-29 - Vulnerability reported to SonicWall PSIRT.
2021-11-02 - Reply from SonicWall PSIRT stating that the vulnerability has been "rejected" as a duplicate/known issue.
2021-11-06 - SonicWall confirm they have addressed the other reported issues and shared a draft KB article, which omits details of arbitrary file-deletion and XSS issues. NCC Group requests clarification around this - providing evidence of successful exploitation on latest firmware versions (10.2.0.8-37v and 10.2.1.2-24sv).
2021-11-06 - SonicWall PSIRT respond stating that these issues were rejected, referencing the original triage response.
2021-12-07 - Patch released and SonicWall publish KB article.
2021-12-07 - NCC Group request further clarification on missing vulnerabilities.
2021-12-07 - No response from SonicWall.
2021-12-08 - NCC Group confirms that the arbitrary file-deletion vulnerability was fixed on firmware versions 10.2.0.9-41sv and 10.2.1.3-27sv.
2021-12-08 - SonicWall PSIRT responds stating that the issue was found by internal review prior to NCC Group's report, and for this reason was omitted from the advisory notes.
2021-12-09 - NCC Group advisory released.

Thanks to

Jennifer Fernick and Aaron Haymore from NCC Group for their assistance with disclosure.

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate & respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.

Published Date: 2021-12-09

Written By: Richard Warren

Published December 10, 2021