SonicWall Releases Security Updates for SMA100 SSL-VPN Products

Three buffer overflow vulnerabilities could lead to code execution and three others concern path traversal, authentication bypass, and insecure randomness

Threat ID:: CC-4585
Threat Severity:: Medium
Published:: 5 December 2024 3:41 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Three buffer overflow vulnerabilities could lead to code execution and three others concern path traversal, authentication bypass, and insecure randomness

Affected platforms

The following platforms are known to be affected:

Versions: 10.2.1.13-72sv and earlier

Sonicwall Secure Mobile Access (SMA) 100 Series Appliances

SMA 200
SMA 210
SMA 400
SMA 410
SMA 500v

Note: SonicWall SSL-VPN SMA1000 series products are not affected by these vulnerabilities

Threat details

CVE-2024-38475 under active exploitation

The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-38475 to the Known Exploited Vulnerabilities (KEV) catalogue. CVE-2024-38475 can be chained with CVE-2023-44221 to allow a remote unauthenticated attacker to execute arbitrary commands on SMA100 devices.

Security researchers have also published a proof-of-concept exploit. The NHS England National CSOC assesses further exploitation as highly likely.

Introduction

SonicWall has released a security advisory to address six vulnerabilities in SMA100 SSL-VPN appliances. SonicWall Secure Mobile Access (SMA) is a unified secure access gateway that provides a Secure Sockets Layer (SSL) virtual private network (VPN), context aware device authorisation, application level VPN, and advanced authentication with federated single sign-on (SSO) for cloud and on-premises resources.

Vulnerability details

CVE-2024-38475 - attributed to publicly known Apache HTTP Server vulnerability

CWE-35: Path traversal vulnerability with a CVSSv3 Score of 7.5
An attacker exploiting this vulnerability may be able to map URLs to file system locations that are permitted to be served by the server.

CVE-2024-40763 - affecting SonicWALL SMA100 SSLVPN

CWE-122: Heap-based buffer overflow vulnerability with a CVSSv3 score of 7.5
A remote, authenticated attacker could exploit this heap-based buffer overflow vulnerability, potentially leading to remote code execution (RCE).

CVE-2024-45318 - affecting SonicWall SMA100 SSLVPN web management interface

CWE-121: Stack-based buffer overflow vulnerability with a CVSSv3 score of 8.1
An attacker could exploit this stack-based buffer overflow vulnerability, potentially leading to RCE.

CVE-2024-45319 - affecting SonicWall SMA100 SSLVPN

CWE-798: Certificate-based authentication bypass vulnerability with a CVSSv3 score of 6.3
A remote, authenticated attacker can circumvent the certificate requirement during authentication.

CVE-2024-53702 - affecting SonicWall SMA100 SSLVPN backup code generator

CWE-338: Insecure randomness vulnerability with a CVSSv3 score of 5.3
An attacker could exploit this vulnerability by abusing the cryptographically weak pseudo-random number generator (PRNG) in the SonicWall SMA100 SSLVPN backup code generator, which could result in exposing the generated secret.

CVE-2024-53703 - affecting SonicWall SMA100 SSLVPN mod_httprp library loaded by the Apache web server

CWE-121: Stack-based buffer overflow vulnerability with a CVSSv3 score of 8.1
An attacker could exploit this stack-based buffer overflow vulnerability, potentially leading to RCE.

Threat updates

Date	Update
2 May 2025	CVE-2024-38475 added to CISA KEV

Remediation advice

Affected organisations are encouraged to review SonicWall advisory SNWLID-2024-0018 and apply the relevant updates.

Definitive source of threat updates

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018

CVE Vulnerabilities

Status Published

CVE-2024-38475

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.

Status Published

CVE-2024-40763

Heap-based buffer overflow vulnerability in the SonicWall SMA100 SSLVPN due to the use of strcpy. This allows remote authenticated attackers to cause Heap-based buffer overflow and potentially lead to code execution.

Status Published

CVE-2024-45318

A vulnerability in the SonicWall SMA100 SSLVPN web management interface allows remote attackers to cause Stack-based buffer overflow and potentially lead to code execution.

Status Published

CVE-2024-45319

A vulnerability in the SonicWall SMA100 SSLVPN firmware 10.2.1.13-72sv and earlier versions allows a remote authenticated attacker can circumvent the certificate requirement during authentication.

Status Published

CVE-2024-53702

Use of cryptographically weak pseudo-random number generator (PRNG) vulnerability in the SonicWall SMA100 SSLVPN backup code generator that, in certain cases, can be predicted by an attacker, potentially exposing the generated secret.

Status Published

CVE-2024-53703

A vulnerability in the SonicWall SMA100 SSLVPN firmware 10.2.1.13-72sv and earlier versions mod_httprp library loaded by the Apache web server allows remote attackers to cause Stack-based buffer overflow and potentially lead to code execution.

Last edited: 2 May 2025 11:37 am