Security researchers at watchTowr have published an analysis of two vulnerabilities currently being exploited in the wild against SonicWall's Secure Mobile Access (SMA100) appliances. The vulnerabilities - CVE-2024-38475 and CVE-2023-44221 - have been added to CISA's Known Exploited Vulnerabilities list, indicating their active exploitation by threat actors.
CVE-2024-38475 is a pre-authentication arbitrary file read vulnerability affecting the Apache HTTP Server's mod_rewrite module. Originally discovered by Orange Tsai and presented at BlackHat USA 2024, the vulnerability stems from what researchers call "Filename Confusion," where the server mistakenly treats filesystem paths as URL paths during processing.
The watchTowr team demonstrated how attackers can exploit this vulnerability in SonicWall devices by manipulating URL-encoded question marks to truncate paths. Combined with "DocumentRoot Confusion," this allows attackers to read any file on the filesystem accessible to the webserver user (nobody).
Most critically, researchers showed how attackers can access /tmp/temp.db, a SQLite database containing active administrator session IDs and CSRF tokens. By using the Range HTTP header to download specific chunks of the database, attackers can reliably extract authentication tokens, effectively bypassing authentication controls.
The second vulnerability, CVE-2023-44221, is a post-authentication command injection vulnerability discovered by Wenjie Zhong. Once authenticated (which is possible using the first vulnerability), attackers can exploit a buffer overflow in the SonicWall diagnostic tools, specifically in the traceroute6 function.
The researchers found that while SonicWall implemented an escaping function called shellScriptEncode to prevent command injection, the function fails to limit input length. By supplying a large number of characters that expand during escaping (such as quotation marks), attackers can cause a buffer overflow that corrupts adjacent memory, ultimately breaking out of the command's string context and achieving remote code execution.
According to watchTowr: "This ultimately underscores the research we perform internally to reproduce known N-day vulnerabilities, and discover unknown 0-day vulnerabilities - informing our technology, which continuously protects our client base."
SonicWall has published an updated PSIRT advisory (SNWLID-2024-0018) addressing these vulnerabilities.
Organizations using SonicWall SMA100 appliances are strongly advised to update to the latest firmware version immediately, as these vulnerabilities are actively being exploited by attackers to gain unauthorized access and remote code execution capabilities.