A serious security vulnerability has been identified in SonicWall Secure Mobile Access (SMA) 100 series devices. This vulnerability, cataloged as CVE-2024-38475, allows unauthorized individuals to remotely access sensitive files stored on affected devices without the need for login credentials. A successful exploit can lead to the exposure of confidential data, with the potential for attackers to gain further control over the system or the protected network. It is known that this vulnerability is being actively exploited in the wild.
| Product | SonicWall SMA |
| Date | 2025-05-28 13:17:37 |
| Information |
|
Technical Summary
CVE-2024-38475 is a pre-authentication arbitrary file read vulnerability affecting SonicWall SMA 100 series devices. The root cause lies in an underlying flaw within the mod_rewrite module of the Apache HTTP Server (versions 2.4.59 and earlier), which is used by SonicWall devices.
- Vulnerability Type: Improper output encoding or escaping in
mod_rewrite(CWE-116), leading to arbitrary file reading. - Mechanism: The Apache
mod_rewritemodule fails to properly sanitize output when processing specific rewrite rules (substitutions in server context using references or variables as the first segment). An unauthenticated attacker can send a specially crafted HTTP GET request to the target device. The URL in this request is manipulated (e.g.,TARGET_FILE%3fMALICIOUS_SUFFIX.EXT, where%3fis a URL-encoded?) to inducemod_rewriteto map the request to an arbitrary file on the server’s filesystem.- For example, a request like
GET /tmp/temp.db%3f.1.1.1.1a-1.csscan allow an attacker to download the/tmp/temp.dbfile.
- For example, a request like
- Impact: Attackers can read sensitive files, including session databases (e.g.,
temp.dbcontaining session IDs, CSRF tokens, usernames, and password fields), configuration files, log files, and potentially application source code. This information disclosure can be leveraged to gain further unauthorized access or to escalate privileges, potentially leading to remote code execution (RCE) as part of a chained attack.
Recommendations
Due to the critical nature and active exploitation of this vulnerability, it is strongly recommended to take the following measures:
- Apply patches immediately: Apply the security patches and firmware updates provided by SonicWall for SMA 100 series devices as soon as possible. Refer to SonicWall security advisories for specific patched versions.
- Restrict access: If you cannot apply the patch immediately, restrict network access to the SMA device management interface. Allow connections only from trusted IP addresses and networks.
- Monitor logs: Examine web server logs on SMA devices to detect any suspicious requests that match the exploit pattern (e.g., URLs containing unusual sequences like
%3ffollowed by unexpected extensions or character strings). - Web Application Firewall (WAF): As a layered defense measure, consider implementing WAF rules to block or flag requests that exhibit patterns associated with this exploit. However, this should not replace patching.
[Callforaction-THREAT-Footer]
