OS Command Injection Vulnerability in SMA100 SSL-VPN by SonicWall
CVE-2023-44221
Key Information:
Badges
What is CVE-2023-44221?
CVE-2023-44221 is a significant vulnerability identified in the SMA100 SSL-VPN by SonicWall, a product designed to provide secure remote access to organizational resources. This vulnerability arises from the improper handling of certain elements within the management interface, allowing a remote authenticated attacker with administrative privileges to perform OS command injection. If exploited, this can severely compromise the integrity and security of the systems utilizing this solution, potentially leading to unauthorized command execution and system manipulation.
Technical Details
The vulnerability stems from a flaw in the management interface of the SMA100 SSL-VPN, which fails to adequately neutralize harmful input. This lack of proper validation enables attackers who already possess administrative credentials to inject arbitrary operating system commands. The nature of this vulnerability allows command execution as a low-privileged 'nobody' user, which could lead to escalation and further exploit vulnerabilities within the operating system or network.
Potential Impact of CVE-2023-44221
-
Unauthorized Access and Control: Exploitation of this vulnerability can grant attackers the ability to execute arbitrary commands on the affected system, enabling them to manipulate data and configurations without detection.
-
Data Breaches: The command injection could lead to expose sensitive organizational data and credentials, resulting in potential data breaches and loss of confidential information.
-
Increased Attack Surface: Successful exploitation may create a foothold for attackers to introduce further malicious tools or malware, leading to ransomware attacks or broader network compromises.
CISA has reported CVE-2023-44221
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2023-44221 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
SMA100 SMA 200 10.2.1.9-57sv and earlier versions
News Articles
2 SonicWall Vulnerabilities Under Active Exploit
The vulnerabilities affect SonicWall's SMA devices for secure remote access, which have been heavily targeted by threat actors in the past.
3 weeks ago
PoC Published for Exploited SonicWall Vulnerabilities
PoC code targeting two exploited SonicWall vulnerabilities was published just CISA added them to the KEV catalog.
3 weeks ago
HackreadwatchTowr Warns of Active Exploitation of SonicWall SMA 100 Devices
watchTowr reveals active exploitation of SonicWall SMA 100 vulnerabilities (CVE-2024-38475 & CVE-2023-44221) leading to full system takeover.
3 weeks ago
References
EPSS Score
46% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 📈
Vulnerability started trending
- 💰
Used in Ransomware
- 🦅
CISA Reported
- 👾
Exploit known to exist
- 📰
First article discovered by BleepingComputer
Vulnerability published
Vulnerability Reserved