Details of VAR-200711-0039

ID

VAR-200711-0039

CVE

CVE-2007-5814

TITLE

SonicWall NetExtender NELaunchCtrl ActiveX control stack buffer overflow

Trust: 0.8

sources: CERT/CC: VU#298521

DESCRIPTION

Multiple buffer overflows in the SonicWall SSL-VPN NetExtender NELaunchCtrl ActiveX control before 2.1.0.51, and 2.5.x before 2.5.0.56, allow remote attackers to execute arbitrary code via a long (1) serverAddress, (2) sessionId, (3) clientIPLower, (4) clientIPHigher, (5) userName, (6) domainName, or (7) dnsSuffix Unicode property value. NOTE: the AddRouteEntry vector is covered by CVE-2007-5603. SonicWall SSL-VPN NetExtender NELaunchCtrl ActiveX The control contains a buffer overflow vulnerability. SonicWALL SSL VPN Client is prone to multiple remote vulnerabilities. The issues occur in different ActiveX controls and include arbitrary-file-deletion and multiple stack-based buffer-overflow vulnerabilities. Attackers can exploit these issues to execute arbitrary code within the context of the affected application and delete arbitrary files on the client's computer. Failed exploit attempts will result in denial-of-service conditions. These issues affect SonicWALL SSL VPN 1.3.0.3 software as well as WebCacheCleaner 1.3.0.3 and NeLaunchCtrl 2.1.0.49 ActiveX controls; other versions may also be vulnerable. SonicWALL SSL-VPN can provide simple and easy-to-use VPN solutions for enterprise networks. There are multiple security holes in the ActiveX control implementation of SonicWALL SSL-VPN, and remote attackers may take advantage of these holes to control the user system. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: SonicWALL SSL VPN ActiveX Controls Multiple Vulnerabilities SECUNIA ADVISORY ID: SA27469 VERIFY ADVISORY: http://secunia.com/advisories/27469/ CRITICAL: Highly critical IMPACT: Manipulation of data, System access WHERE: >From remote OPERATING SYSTEM: SonicWALL SSL-VPN 2000 2.x http://secunia.com/product/9056/ SonicWALL SSL-VPN 200 2.x http://secunia.com/product/16416/ SonicWALL SSL-VPN 4000 2.x http://secunia.com/product/16417/ DESCRIPTION: Some vulnerabilities have been reported in SonicWALL SSL VPN, which can be exploited by malicious people to delete arbitrary files or to compromise a user's system. 1) Boundary errors within the NetExtender NELaunchCtrl ActiveX control when handling arguments passed to certain methods (e.g. "AddRouteEntry()", "serverAddress()", "sessionId()", "clientIPLower()", "clientIPHigher()", "userName()", "domainName()", and "dnsSuffix()") can be exploited to cause buffer overflows when a user e.g. visits a malicious website. Other versions may also be affected. SOLUTION: Update to firmware version 2.5 for SonicWALL SSL VPN 2000/4000, and version 2.1 for SonicWALL SSL-VPN 200. http://www.sonicwall.com/us/643.htm PROVIDED AND/OR DISCOVERED BY: 1) Independently discovered by: * lofi42 * Will Dormann, CERT/CC ("AddRouteEntry()" method) 2) lofi42 ORIGINAL ADVISORY: SEC Consult: http://www.sec-consult.com/fileadmin/Advisories/20071101-0_sonicwall_multiple.txt US-CERT VU#298521: http://www.kb.cert.org/vuls/id/298521 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.79

sources: NVD: CVE-2007-5814 // CERT/CC: VU#298521 // JVNDB: JVNDB-2007-006293 // BID: 26288 // VULHUB: VHN-29176 // PACKETSTORM: 60650

AFFECTED PRODUCTS

vendor:	sonicwall	model:	ssl vpn	scope:	lte	version:	2.1	Trust: 1.0
vendor:	sonicwall	model:	ssl vpn	scope:	lte	version:	2.5	Trust: 1.0
vendor:	sonicwall	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	sonicwall	model:	ssl vpn	scope:	lt	version:	2.5.x	Trust: 0.8
vendor:	sonicwall	model:	ssl vpn	scope:	eq	version:	2.5.0.56	Trust: 0.8
vendor:	sonicwall	model:	ssl vpn	scope:	eq	version:	2.5	Trust: 0.6
vendor:	sonicwall	model:	ssl vpn	scope:	eq	version:	2.1	Trust: 0.6
vendor:	sonicwall	model:	ssl vpn	scope:	eq	version:	1.33	Trust: 0.3
vendor:	sonicwall	model:	ssl vpn	scope:	ne	version:	2002.1	Trust: 0.3
vendor:	sonicwall	model:	ssl vpn	scope:	ne	version:	2.5	Trust: 0.3

sources: CERT/CC: VU#298521 // BID: 26288 // JVNDB: JVNDB-2007-006293 // NVD: CVE-2007-5814 // CNNVD: CNNVD-200711-065

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2007-5814
value:	HIGH
Trust: 1.8
CARNEGIE MELLON:	VU#298521
value:	25.92
Trust: 0.8
CNNVD:	CNNVD-200711-065
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-29176
value:	HIGH
Trust: 0.1

NVD:
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.0
NVD:	CVE-2007-5814
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-29176
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CERT/CC: VU#298521 // VULHUB: VHN-29176 // JVNDB: JVNDB-2007-006293 // NVD: CVE-2007-5814 // CNNVD: CNNVD-200711-065

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.9

sources: VULHUB: VHN-29176 // JVNDB: JVNDB-2007-006293 // NVD: CVE-2007-5814

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200711-065

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-200711-065

CONFIGURATIONS

sources: NVD: CVE-2007-5814

PATCH

title:

SSL-VPN

url:

http://o-www.sonicwall.com/us/en/products/secure_remote_access.html

Trust: 0.8

sources: JVNDB: JVNDB-2007-006293

EXTERNAL IDS

db:	NVD	id:	CVE-2007-5814	Trust: 2.8
db:	SECUNIA	id:	27469	Trust: 2.7
db:	BID	id:	26288	Trust: 2.0
db:	SREASON	id:	3342	Trust: 1.7
db:	VUPEN	id:	ADV-2007-3696	Trust: 1.7
db:	CERT/CC	id:	VU#298521	Trust: 1.2
db:	JVNDB	id:	JVNDB-2007-006293	Trust: 0.8
db:	BUGTRAQ	id:	20071101 SEC CONSULT SA-20071101-0 :: MULTIPLE VULNERABILITIES IN SONICWALLSSL-VPN CLIENT	Trust: 0.6
db:	XF	id:	38220	Trust: 0.6
db:	CNNVD	id:	CNNVD-200711-065	Trust: 0.6
db:	VULHUB	id:	VHN-29176	Trust: 0.1
db:	PACKETSTORM	id:	60650	Trust: 0.1

sources: CERT/CC: VU#298521 // VULHUB: VHN-29176 // BID: 26288 // JVNDB: JVNDB-2007-006293 // PACKETSTORM: 60650 // NVD: CVE-2007-5814 // CNNVD: CNNVD-200711-065

REFERENCES

url:	http://www.sec-consult.com/fileadmin/advisories/20071101-0_sonicwall_multiple.txt	Trust: 2.6
url:	http://www.securityfocus.com/bid/26288	Trust: 1.7
url:	http://www.sec-consult.com/303.html	Trust: 1.7
url:	http://secunia.com/advisories/27469	Trust: 1.7
url:	http://securityreason.com/securityalert/3342	Trust: 1.7
url:	http://www.securityfocus.com/archive/1/483097/100/0/threaded	Trust: 1.1
url:	http://www.vupen.com/english/advisories/2007/3696	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/38220	Trust: 1.1
url:	http://www.sonicwall.com/us/643.htm	Trust: 0.9
url:	http://secunia.com/advisories/27469/	Trust: 0.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-5814	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-5814	Trust: 0.8
url:	/archive/1/483097	Trust: 0.6
url:	http://xforce.iss.net/xforce/xfdb/38220	Trust: 0.6
url:	http://www.securityfocus.com/archive/1/archive/1/483097/100/0/threaded	Trust: 0.6
url:	http://www.frsirt.com/english/advisories/2007/3696	Trust: 0.6
url:	http://www.kb.cert.org/vuls/id/298521	Trust: 0.4
url:	http://support.microsoft.com/kb/240797	Trust: 0.3
url:	http://www.sonicwall.com	Trust: 0.3
url:	http://secunia.com/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/product/9056/	Trust: 0.1
url:	http://secunia.com/product/16417/	Trust: 0.1
url:	http://secunia.com/product/16416/	Trust: 0.1
url:	http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/about_secunia_advisories/	Trust: 0.1

sources: CERT/CC: VU#298521 // VULHUB: VHN-29176 // BID: 26288 // JVNDB: JVNDB-2007-006293 // PACKETSTORM: 60650 // NVD: CVE-2007-5814 // CNNVD: CNNVD-200711-065

CREDITS

Bernhard Mueller research@sec-consult.com

Trust: 0.6

sources: CNNVD: CNNVD-200711-065

SOURCES

db:	CERT/CC	id:	VU#298521
db:	VULHUB	id:	VHN-29176
db:	BID	id:	26288
db:	JVNDB	id:	JVNDB-2007-006293
db:	PACKETSTORM	id:	60650
db:	NVD	id:	CVE-2007-5814
db:	CNNVD	id:	CNNVD-200711-065

LAST UPDATE DATE

2023-12-18T12:58:59.270000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#298521	date:	2009-04-13T00:00:00
db:	VULHUB	id:	VHN-29176	date:	2018-10-15T00:00:00
db:	BID	id:	26288	date:	2007-11-15T00:37:00
db:	JVNDB	id:	JVNDB-2007-006293	date:	2012-12-20T00:00:00
db:	NVD	id:	CVE-2007-5814	date:	2018-10-15T21:46:38.113
db:	CNNVD	id:	CNNVD-200711-065	date:	2007-11-07T00:00:00

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#298521	date:	2007-11-02T00:00:00
db:	VULHUB	id:	VHN-29176	date:	2007-11-05T00:00:00
db:	BID	id:	26288	date:	2007-11-01T00:00:00
db:	JVNDB	id:	JVNDB-2007-006293	date:	2012-12-20T00:00:00
db:	PACKETSTORM	id:	60650	date:	2007-11-03T02:36:00
db:	NVD	id:	CVE-2007-5814	date:	2007-11-05T18:46:00
db:	CNNVD	id:	CNNVD-200711-065	date:	2007-11-05T00:00:00