Critical pre-authentication arbitrary file read vulnerability in SonicWall SMA 100 series devices

ISGroup Cybersecurity

A serious security vulnerability has been identified in SonicWall Secure Mobile Access (SMA) 100 series devices. This vulnerability, cataloged as CVE-2024-38475, allows unauthorized individuals to remotely access sensitive files stored on affected devices without the need for login credentials. A successful exploit can lead to the exposure of confidential data, with the potential for attackers to gain further control over the system or the protected network. It is known that this vulnerability is being actively exploited in the wild.

ProductSonicWall SMA
Date2025-05-28 13:17:37
Information
  • Fix Available
  • Active Exploitation

Technical Summary

CVE-2024-38475 is a pre-authentication arbitrary file read vulnerability affecting SonicWall SMA 100 series devices. The root cause lies in an underlying flaw within the mod_rewrite module of the Apache HTTP Server (versions 2.4.59 and earlier), which is used by SonicWall devices.

  • Vulnerability Type: Improper output encoding or escaping in mod_rewrite (CWE-116), leading to arbitrary file reading.
  • Mechanism: The Apache mod_rewrite module fails to properly sanitize output when processing specific rewrite rules (substitutions in server context using references or variables as the first segment). An unauthenticated attacker can send a specially crafted HTTP GET request to the target device. The URL in this request is manipulated (e.g., TARGET_FILE%3fMALICIOUS_SUFFIX.EXT, where %3f is a URL-encoded ?) to induce mod_rewrite to map the request to an arbitrary file on the server’s filesystem.
    • For example, a request like GET /tmp/temp.db%3f.1.1.1.1a-1.css can allow an attacker to download the /tmp/temp.db file.

  • Impact: Attackers can read sensitive files, including session databases (e.g., temp.db containing session IDs, CSRF tokens, usernames, and password fields), configuration files, log files, and potentially application source code. This information disclosure can be leveraged to gain further unauthorized access or to escalate privileges, potentially leading to remote code execution (RCE) as part of a chained attack.

Recommendations

Due to the critical nature and active exploitation of this vulnerability, it is strongly recommended to take the following measures:

  1. Apply patches immediately: Apply the security patches and firmware updates provided by SonicWall for SMA 100 series devices as soon as possible. Refer to SonicWall security advisories for specific patched versions.
  2. Restrict access: If you cannot apply the patch immediately, restrict network access to the SMA device management interface. Allow connections only from trusted IP addresses and networks.
  3. Monitor logs: Examine web server logs on SMA devices to detect any suspicious requests that match the exploit pattern (e.g., URLs containing unusual sequences like %3f followed by unexpected extensions or character strings).
  4. Web Application Firewall (WAF): As a layered defense measure, consider implementing WAF rules to block or flag requests that exhibit patterns associated with this exploit. However, this should not replace patching.

[Callforaction-THREAT-Footer]