SonicWall has sounded the alarm over a series of security vulnerabilities affecting its VPN hardware, some of which are classified as “critical”.
As noted in an advisory published by the firm, the issues relate to Secure Mobile Access (SMA) 100-series VPN appliances, and could be abused by an unauthenticated user to achieve root-level remote code execution.
The most serious of the vulnerabilities has been awarded a score of 9.8/10 as per the Common Vulnerability Scoring System (CVSS), as a reflection of the opportunity for an attacker to meddle with access privileges and ultimately seize control of the vulnerable VPN device.
“The vulnerability is due to the SonicWall SMA SSLVPN Apache httpd server GET method of mod_cgi module environment variables use a single stack-based buffer using `strcat`. This allows remote attacker to cause Stack-based Buffer Overflow and would result in code execution,” explained SonicWall.
SonicWall VPN vulnerabilities
Discovered by cybersecurity researchers at Rapid7 and NCCGroup, the eight SonicWall VPN vulnerabilities range in severity from medium to critical, and the majority require no form of authentication in order to exploit.
Mercifully, SonicWall says there is no evidence the vulnerabilities have yet been abused in the wild, but the company has “strongly urged” customers to deploy the relevant patches immediately.
“SonicWall has verified and patched vulnerabilities of critical and medium severity in SMA 100 series appliances, which include SMA 200, 210, 400, 410 and 500v products. SMA 100 series appliances with WAF enabled are also impacted by the majority of these vulnerabilities,” wrote the firm.
However, these are not the only security bugs to expose SonicWall customers in recent history. Since the turn of the year, the company has been forced to release a “critical firmware update” to patch a zero-day affecting SMA 100-series devices, and a separate patch for an issue with its email security (ES) products.