CVE-2024-38475 Scanner

SonicWall SMA 100 is a secure mobile access solution designed to provide secure remote access to corporate resources for mobile users. It allows organizations to securely manage the connections and activities of remote employees. The SMA 100 is part of the SonicWall Secure Mobile Access platform, which is widely used by enterprises to extend secure access to internal applications and data. By offering SSL VPN capabilities, it enables users to access their company's network from virtually any device. The platform integrates with a wide range of security technologies, including single sign-on (SSO), identity management, and endpoint security. SonicWall SMA 100 is commonly deployed in industries like finance, healthcare, and education where remote access to sensitive data must be securely managed.

This vulnerability, found in SonicWall SMA 100, is a Pre-Authentication Arbitrary File Read flaw that stems from improper escaping in the mod_rewrite configuration of Apache HTTP Server versions 2.4.59 and earlier. The vulnerability allows an attacker to map URLs to filesystem locations that should not be directly accessible. By exploiting this issue, an attacker could read sensitive files, such as log files or databases, without needing to authenticate. This issue poses a critical security risk, especially since it can be exploited without requiring any valid credentials. The flaw arises from misconfigured rewrite rules, which fail to properly escape or restrict certain outputs.

The vulnerability occurs because Apache's mod_rewrite module does not correctly escape output in certain scenarios. Specifically, backreferences or variables used as the first segment of substitutions are affected. By crafting a request that maps to restricted filesystem paths (such as log files or databases), an attacker can retrieve these files without authentication. Exploiting this flaw requires an attacker to send a specially crafted request to the vulnerable endpoint, such as '/tmp/temp.db' or '/mnt/ram/var/log/httpd.log'. When the attacker receives a response, they may gain access to sensitive information such as database records or session data, which can lead to further exploitation of the system.

If exploited, this vulnerability allows attackers to read sensitive files, potentially exposing confidential information such as login credentials, session data, and configuration settings. This could lead to unauthorized access to internal resources, data breaches, or even facilitate further attacks on the system. Additionally, attackers could use the disclosed information to escalate privileges or launch more sophisticated attacks, such as injecting malicious code or stealing sensitive customer data. Since the flaw is pre-authentication, any unauthenticated attacker can exploit it, making it highly dangerous for exposed systems. Immediate patching and mitigation are recommended to prevent unauthorized access to sensitive files.

References:

• https://github.com/watchtowrlabs/watchTowr-vs-SonicWall-PreAuth-RCE-Chain/blob/main/watchTowr-vs-SonicWall-PreAuth-RCE-Chain.py
• https://labs.watchtowr.com/sonicboom-from-stolen-tokens-to-remote-shells-sonicwall-sma100-cve-2023-44221-cve-2024-38475/
• https://nvd.nist.gov/vuln/detail/CVE-2024-38475