SonicWall SMA1000 series firmware 12.4.0, 12.4.1-02965 and earlier versions accept a user-controlled input that specifies a link to an external site and uses that link in a redirect which leads to Open redirection vulnerability.
{"nessus": [{"lastseen": "2022-08-05T14:31:26", "description": "The remote host is a SonicWall Secure Mobile Access (SMA) device that may be affected by multiple vulnerabilities:\n\n - SonicWall SMA1000 series firmware 12.4.0, 12.4.1-02965 and earlier versions uses a shared and hard-coded encryption key to store data. (CVE-2022-1701)\n\n - SonicWall SMA1000 series firmware 12.4.0, 12.4.1-02965 and earlier versions accept a user-controlled input that specifies a link to an external site and uses that link in a redirect which leads to Open redirection vulnerability. (CVE-2022-1702)\n\n - SonicWall SMA1000 series firmware 12.4.0, 12.4.1-02965 and earlier versions incorrectly restricts access to a resource using HTTP connections from an unauthorized actor leading to Improper Access Control vulnerability. (CVE-2022-22282)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2022-06-08T00:00:00", "type": "nessus", "title": "SonicWall Secure Mobile Access (SMA) 12.4.x < 12.4.1-02994 Multiple Vulnerabilities (SNWLID-2022-0009)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2022-1701", "CVE-2022-1702", "CVE-2022-22282"], "modified": "2022-06-10T00:00:00", "cpe": ["x-cpe:/o:sonicwall:firmware"], "id": "SONICWALL_SMA_SNWLID-2022-0009.NASL", "href": "https://www.tenable.com/plugins/nessus/161951", "sourceData": "##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(161951);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/06/10\");\n\n script_cve_id(\"CVE-2022-1701\", \"CVE-2022-1702\", \"CVE-2022-22282\");\n script_xref(name:\"IAVA\", value:\"2022-A-0229\");\n\n script_name(english:\"SonicWall Secure Mobile Access (SMA) 12.4.x < 12.4.1-02994 Multiple Vulnerabilities (SNWLID-2022-0009)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is a SonicWall Secure Mobile Access (SMA) device that may be affected by multiple vulnerabilities:\n\n - SonicWall SMA1000 series firmware 12.4.0, 12.4.1-02965 and earlier versions uses a shared and hard-coded\n encryption key to store data. (CVE-2022-1701)\n\n - SonicWall SMA1000 series firmware 12.4.0, 12.4.1-02965 and earlier versions accept a user-controlled input\n that specifies a link to an external site and uses that link in a redirect which leads to Open redirection\n vulnerability. (CVE-2022-1702)\n\n - SonicWall SMA1000 series firmware 12.4.0, 12.4.1-02965 and earlier versions incorrectly restricts access\n to a resource using HTTP connections from an unauthorized actor leading to Improper Access Control\n vulnerability. (CVE-2022-22282)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0009\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to a SonicWall SMA version that is 12.4.1-02994 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-22282\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2022/05/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/05/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/06/08\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:sonicwall:firmware\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sonicwall_sma_web_detect.nbin\");\n script_require_keys(\"installed_sw/SonicWall Secure Mobile Access\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude('http.inc');\ninclude('vcf.inc');\n\nvar app_name = 'SonicWall Secure Mobile Access';\n\nget_install_count(app_name:app_name, exit_if_zero:TRUE);\n\n# We cannot test for vulnerable models\nif (report_paranoia < 2)\n audit(AUDIT_PARANOID);\n\nvar port = get_http_port(default:443, embedded:TRUE);\n\nvar app_info = vcf::get_app_info(app:app_name, port:port, webapp:TRUE);\n\nvar constraints = [\n {'min_version' : '12.4', 'fixed_version' : '12.4.1.02994', 'fixed_display' : '12.4.1-02994'}\n\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2022-05-14T06:22:56", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgTdzwEIazKL1IdHuI1NcNGE2sZchTrb7XxlrDd5DHL-FHWh4qvHuJPHjY24fmTtAyows70s53kU4bwyR5o3h8i8h4hk6Nf5aPJ2F5iLW9yC5HJgkM26KmzaOep81nAwD8aLesFS81sXffSMhhr9Tn4acdENs5n7Ezf-IlQINE7pQIWiYIcB6VH9Ec5/s728-e100/sonicwall.jpg>)\n\nSonicWall has published an [advisory](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0009>) warning of a trio of security flaws in its Secure Mobile Access (SMA) 1000 appliances, including a high-severity authentication bypass vulnerability.\n\nThe weaknesses in question impact SMA 6200, 6210, 7200, 7210, 8000v running firmware versions 12.4.0 and 12.4.1. The list of vulnerabilities is below -\n\n * **CVE-2022-22282** (CVSS score: 8.2) - Unauthenticated Access Control Bypass\n * **CVE-2022-1702** (CVSS score: 6.1) - URL redirection to an untrusted site (open redirection)\n * **CVE-2022-1701** (CVSS score: 5.7) - Use of a shared and hard-coded cryptographic key\n\nSuccessful exploitation of the aforementioned bugs could allow an attacker to unauthorized access to internal resources and even redirect potential victims to malicious websites.\n\nTom Wyatt of the Mimecast Offensive Security Team has been credited with discovering and reporting the vulnerabilities.\n\nSonicWall noted that the flaws do not affect SMA 1000 series running versions earlier than 12.4.0, SMA 100 series, Central Management Servers (CMS), and remote access clients.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEj7cF8R_CoL1ELm2zMKTiEbgkrn-x7_Cyvx1kEaf2LBxRTSX20XCqyuY8V8vf7UQgMIxNht_hpMgZLnRd2Zh0We0vNSL5qXYO7XEnbkLe5psSqWaXw2_DXe1NZOwEw41t6HFKa97-udB16qEXaar7ectlVL_zj9xGqzUwP9kHRM9zPOGFni9mGc4ngQ/s728-e100/patches.jpg>)\n\nAlthough there is no evidence that these vulnerabilities are being exploited in the wild, it's recommended that users apply the fixes in the light of the fact that SonicWall appliances have presented an [attractive bullseye](<https://thehackernews.com/2021/12/sonicwall-urges-customers-to.html>) in the past for ransomware attacks.\n\n\"There are no temporary mitigations,\" the network security company [said](<https://www.sonicwall.com/support/knowledge-base/security-notice-sma-1000-series-unauthenticated-access-control-bypass/220510172939820/>). \"SonicWall urges impacted customers to implement applicable patches as soon as possible.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2022-05-14T05:39:00", "type": "thn", "title": "SonicWall Releases Patches for New Flaws Affecting SSLVPN SMA1000 Devices", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2022-1701", "CVE-2022-1702", "CVE-2022-22282"], "modified": "2022-05-14T05:39:11", "id": "THN:564E7893C32CBCEC3D6F3B986D7E5D83", "href": "https://thehackernews.com/2022/05/sonicwall-releases-patches-for-new.html", "cvss": {"score": 0.0, "vector": "NONE"}}]}