Sign-up

ID

VAR-200711-0040


CVE

CVE-2007-5815


TITLE

SonicWall NetExtender NELaunchCtrl ActiveX control stack buffer overflow

Trust: 0.8

sources: CERT/CC: VU#298521

DESCRIPTION

Absolute path traversal vulnerability in the WebCacheCleaner ActiveX control 1.3.0.3 in SonicWall SSL-VPN 200 before 2.1, and SSL-VPN 2000/4000 before 2.5, allows remote attackers to delete arbitrary files via a full pathname in the argument to the FileDelete method. SonicWALL SSL VPN Client is prone to multiple remote vulnerabilities. The issues occur in different ActiveX controls and include arbitrary-file-deletion and multiple stack-based buffer-overflow vulnerabilities. Failed exploit attempts will result in denial-of-service conditions. These issues affect SonicWALL SSL VPN 1.3.0.3 software as well as WebCacheCleaner 1.3.0.3 and NeLaunchCtrl 2.1.0.49 ActiveX controls; other versions may also be vulnerable. SonicWALL SSL-VPN can provide simple and easy-to-use VPN solutions for enterprise networks. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: SonicWALL SSL VPN ActiveX Controls Multiple Vulnerabilities SECUNIA ADVISORY ID: SA27469 VERIFY ADVISORY: http://secunia.com/advisories/27469/ CRITICAL: Highly critical IMPACT: Manipulation of data, System access WHERE: >From remote OPERATING SYSTEM: SonicWALL SSL-VPN 2000 2.x http://secunia.com/product/9056/ SonicWALL SSL-VPN 200 2.x http://secunia.com/product/16416/ SonicWALL SSL-VPN 4000 2.x http://secunia.com/product/16417/ DESCRIPTION: Some vulnerabilities have been reported in SonicWALL SSL VPN, which can be exploited by malicious people to delete arbitrary files or to compromise a user's system. 1) Boundary errors within the NetExtender NELaunchCtrl ActiveX control when handling arguments passed to certain methods (e.g. "AddRouteEntry()", "serverAddress()", "sessionId()", "clientIPLower()", "clientIPHigher()", "userName()", "domainName()", and "dnsSuffix()") can be exploited to cause buffer overflows when a user e.g. visits a malicious website. The vulnerabilities are reported in WebCacheCleaner ActiveX control version 1.3.0.3 and NeLaunchCtrl ActiveX control version 2.1.0.49. Other versions may also be affected. SOLUTION: Update to firmware version 2.5 for SonicWALL SSL VPN 2000/4000, and version 2.1 for SonicWALL SSL-VPN 200. http://www.sonicwall.com/us/643.htm PROVIDED AND/OR DISCOVERED BY: 1) Independently discovered by: * lofi42 * Will Dormann, CERT/CC ("AddRouteEntry()" method) 2) lofi42 ORIGINAL ADVISORY: SEC Consult: http://www.sec-consult.com/fileadmin/Advisories/20071101-0_sonicwall_multiple.txt US-CERT VU#298521: http://www.kb.cert.org/vuls/id/298521 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.79

sources: NVD: CVE-2007-5815 // CERT/CC: VU#298521 // JVNDB: JVNDB-2007-006294 // BID: 26288 // VULHUB: VHN-29177 // PACKETSTORM: 60650

AFFECTED PRODUCTS

vendor:sonicwallmodel:ssl vpn2000\/4000scope:lteversion:2.5

Trust: 1.0

vendor:sonicwallmodel:ssl vpn 200scope:lteversion:2.1

Trust: 1.0

vendor:sonicwallmodel: - scope: - version: -

Trust: 0.8

vendor:sonicwallmodel:ssl vpn 200scope:ltversion:2.1

Trust: 0.8

vendor:sonicwallmodel:ssl vpn2000/4000scope:ltversion:2.5

Trust: 0.8

vendor:sonicwallmodel:ssl vpn2000\/4000scope:eqversion:2.5

Trust: 0.6

vendor:sonicwallmodel:ssl vpn 200scope:eqversion:2.1

Trust: 0.6

vendor:sonicwallmodel:ssl vpnscope:eqversion:1.33

Trust: 0.3

vendor:sonicwallmodel:ssl vpnscope:neversion:2002.1

Trust: 0.3

vendor:sonicwallmodel:ssl vpnscope:neversion:2.5

Trust: 0.3

sources: CERT/CC: VU#298521 // BID: 26288 // JVNDB: JVNDB-2007-006294 // NVD: CVE-2007-5815 // CNNVD: CNNVD-200711-040

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD: CVE-2007-5815
value: HIGH

Trust: 1.8

CARNEGIE MELLON: VU#298521
value: 25.92

Trust: 0.8

CNNVD: CNNVD-200711-040
value: CRITICAL

Trust: 0.6

VULHUB: VHN-29177
value: HIGH

Trust: 0.1

NVD:
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: FALSE
obtainAllPrivilege: FALSE
obtainUserPrivilege: FALSE
obtainOtherPrivilege: FALSE
userInteractionRequired: FALSE
version: 2.0

Trust: 1.0

NVD: CVE-2007-5815
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-29177
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: CERT/CC: VU#298521 // VULHUB: VHN-29177 // JVNDB: JVNDB-2007-006294 // NVD: CVE-2007-5815 // CNNVD: CNNVD-200711-040

PROBLEMTYPE DATA

problemtype:CWE-22

Trust: 1.9

sources: VULHUB: VHN-29177 // JVNDB: JVNDB-2007-006294 // NVD: CVE-2007-5815

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200711-040

TYPE

path traversal

Trust: 0.6

sources: CNNVD: CNNVD-200711-040

CONFIGURATIONS

sources:
            
            
            NVD: CVE-2007-5815

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-29177

PATCH
title:SSL-VPN 200url:http://o-www.sonicwall.com/us/en/products/secure_remote_access.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2007-006294

EXTERNAL IDS
db:NVDid:CVE-2007-5815
Trust: 2.8
db:SECUNIAid:27469
Trust: 2.7
db:BIDid:26288
Trust: 2.0
db:SREASONid:3342
Trust: 1.7
db:VUPENid:ADV-2007-3696
Trust: 1.7
db:CERT/CCid:VU#298521
Trust: 1.2
db:JVNDBid:JVNDB-2007-006294
Trust: 0.8
db:BUGTRAQid:20071101 SEC CONSULT SA-20071101-0 :: MULTIPLE VULNERABILITIES IN SONICWALLSSL-VPN CLIENT
Trust: 0.6
db:XFid:38221
Trust: 0.6
db:CNNVDid:CNNVD-200711-040
Trust: 0.6
db:EXPLOIT-DBid:30730
Trust: 0.1
db:SEEBUGid:SSVID-84097
Trust: 0.1
db:VULHUBid:VHN-29177
Trust: 0.1
db:PACKETSTORMid:60650
Trust: 0.1
sources:
            
            
            CERT/CC: VU#298521 // 
            
            
            
            VULHUB: VHN-29177 // 
            
            
            
            BID: 26288 // 
            
            
            
            JVNDB: JVNDB-2007-006294 // 
            
            
            
            PACKETSTORM: 60650 // 
            
            
            
            NVD: CVE-2007-5815 // 
            
            
            
            CNNVD: CNNVD-200711-040

REFERENCES
url:http://www.sec-consult.com/fileadmin/advisories/20071101-0_sonicwall_multiple.txt
Trust: 2.6
url:http://www.securityfocus.com/bid/26288
Trust: 1.7
url:http://www.sec-consult.com/303.html
Trust: 1.7
url:http://secunia.com/advisories/27469
Trust: 1.7
url:http://securityreason.com/securityalert/3342
Trust: 1.7
url:http://www.securityfocus.com/archive/1/483097/100/0/threaded
Trust: 1.1
url:http://www.vupen.com/english/advisories/2007/3696
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/38221
Trust: 1.1
url:http://www.sonicwall.com/us/643.htm
Trust: 0.9
url:http://secunia.com/advisories/27469/
Trust: 0.9
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-5815
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-5815
Trust: 0.8
url:/archive/1/483097
Trust: 0.6
url:http://xforce.iss.net/xforce/xfdb/38221
Trust: 0.6
url:http://www.securityfocus.com/archive/1/archive/1/483097/100/0/threaded
Trust: 0.6
url:http://www.frsirt.com/english/advisories/2007/3696
Trust: 0.6
url:http://www.kb.cert.org/vuls/id/298521
Trust: 0.4
url:http://support.microsoft.com/kb/240797
Trust: 0.3
url:http://www.sonicwall.com
Trust: 0.3
url:http://secunia.com/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/product/9056/
Trust: 0.1
url:http://secunia.com/product/16417/
Trust: 0.1
url:http://secunia.com/product/16416/
Trust: 0.1
url:http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            CERT/CC: VU#298521 // 
            
            
            
            VULHUB: VHN-29177 // 
            
            
            
            BID: 26288 // 
            
            
            
            JVNDB: JVNDB-2007-006294 // 
            
            
            
            PACKETSTORM: 60650 // 
            
            
            
            NVD: CVE-2007-5815 // 
            
            
            
            CNNVD: CNNVD-200711-040

CREDITS
Bernhard Mueller research@sec-consult.com
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200711-040

SOURCES
db:CERT/CCid:VU#298521
db:VULHUBid:VHN-29177
db:BIDid:26288
db:JVNDBid:JVNDB-2007-006294
db:PACKETSTORMid:60650
db:NVDid:CVE-2007-5815
db:CNNVDid:CNNVD-200711-040

LAST UPDATE DATE
2023-12-18T12:58:59.232000+00:00

SOURCES UPDATE DATE
db:CERT/CCid:VU#298521date:2009-04-13T00:00:00
db:VULHUBid:VHN-29177date:2018-10-15T00:00:00
db:BIDid:26288date:2007-11-15T00:37:00
db:JVNDBid:JVNDB-2007-006294date:2012-12-20T00:00:00
db:NVDid:CVE-2007-5815date:2018-10-15T21:46:38.940
db:CNNVDid:CNNVD-200711-040date:2007-11-06T00:00:00

SOURCES RELEASE DATE
db:CERT/CCid:VU#298521date:2007-11-02T00:00:00
db:VULHUBid:VHN-29177date:2007-11-05T00:00:00
db:BIDid:26288date:2007-11-01T00:00:00
db:JVNDBid:JVNDB-2007-006294date:2012-12-20T00:00:00
db:PACKETSTORMid:60650date:2007-11-03T02:36:00
db:NVDid:CVE-2007-5815date:2007-11-05T18:46:00
db:CNNVDid:CNNVD-200711-040date:2007-11-05T00:00:00