Details of VAR-200711-0278

ID

VAR-200711-0278

CVE

CVE-2007-5603

TITLE

SonicWall NetExtender NELaunchCtrl ActiveX control stack buffer overflow

Trust: 0.8

sources: CERT/CC: VU#298521

DESCRIPTION

Stack-based buffer overflow in the SonicWall SSL-VPN NetExtender NELaunchCtrl ActiveX control before 2.1.0.51, and 2.5.x before 2.5.0.56, allows remote attackers to execute arbitrary code via a long string in the second argument to the AddRouteEntry method. SonicWALL SSL VPN Client is prone to multiple remote vulnerabilities. The issues occur in different ActiveX controls and include arbitrary-file-deletion and multiple stack-based buffer-overflow vulnerabilities. Attackers can exploit these issues to execute arbitrary code within the context of the affected application and delete arbitrary files on the client's computer. Failed exploit attempts will result in denial-of-service conditions. These issues affect SonicWALL SSL VPN 1.3.0.3 software as well as WebCacheCleaner 1.3.0.3 and NeLaunchCtrl 2.1.0.49 ActiveX controls; other versions may also be vulnerable. SonicWALL SSL-VPN can provide simple and easy-to-use VPN solutions for enterprise networks. Stack buffer, the following method can be used to jump the process to the UVWX domain: o.AddRouteEntry ("", "ABCDEFGHIJKLMNOPQRSTUVWX"); The following properties are also affected by Unicode overflow: serverAddress sessionId clientIPLower clientIPHigher userName domainName dnsSuffix. ---------------------------------------------------------------------- 2003: 2,700 advisories published 2004: 3,100 advisories published 2005: 4,600 advisories published 2006: 5,300 advisories published How do you know which Secunia advisories are important to you? The Secunia Vulnerability Intelligence Solutions allows you to filter and structure all the information you need, so you can address issues effectively. Get a free trial of the Secunia Vulnerability Intelligence Solutions: http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv ---------------------------------------------------------------------- TITLE: SonicWALL SSL VPN ActiveX Controls Multiple Vulnerabilities SECUNIA ADVISORY ID: SA27469 VERIFY ADVISORY: http://secunia.com/advisories/27469/ CRITICAL: Highly critical IMPACT: Manipulation of data, System access WHERE: >From remote OPERATING SYSTEM: SonicWALL SSL-VPN 2000 2.x http://secunia.com/product/9056/ SonicWALL SSL-VPN 200 2.x http://secunia.com/product/16416/ SonicWALL SSL-VPN 4000 2.x http://secunia.com/product/16417/ DESCRIPTION: Some vulnerabilities have been reported in SonicWALL SSL VPN, which can be exploited by malicious people to delete arbitrary files or to compromise a user's system. 1) Boundary errors within the NetExtender NELaunchCtrl ActiveX control when handling arguments passed to certain methods (e.g. "AddRouteEntry()", "serverAddress()", "sessionId()", "clientIPLower()", "clientIPHigher()", "userName()", "domainName()", and "dnsSuffix()") can be exploited to cause buffer overflows when a user e.g. visits a malicious website. The vulnerabilities are reported in WebCacheCleaner ActiveX control version 1.3.0.3 and NeLaunchCtrl ActiveX control version 2.1.0.49. Other versions may also be affected. SOLUTION: Update to firmware version 2.5 for SonicWALL SSL VPN 2000/4000, and version 2.1 for SonicWALL SSL-VPN 200. http://www.sonicwall.com/us/643.htm PROVIDED AND/OR DISCOVERED BY: 1) Independently discovered by: * lofi42 * Will Dormann, CERT/CC ("AddRouteEntry()" method) 2) lofi42 ORIGINAL ADVISORY: SEC Consult: http://www.sec-consult.com/fileadmin/Advisories/20071101-0_sonicwall_multiple.txt US-CERT VU#298521: http://www.kb.cert.org/vuls/id/298521 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.79

sources: NVD: CVE-2007-5603 // CERT/CC: VU#298521 // JVNDB: JVNDB-2007-006245 // BID: 26288 // VULHUB: VHN-28965 // PACKETSTORM: 60650

AFFECTED PRODUCTS

vendor:	sonicwall	model:	ssl vpn	scope:	lte	version:	2.1	Trust: 1.0
vendor:	sonicwall	model:	ssl vpn	scope:	lte	version:	2.5	Trust: 1.0
vendor:	sonicwall	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	sonicwall	model:	ssl vpn	scope:	lt	version:	2.5.x	Trust: 0.8
vendor:	sonicwall	model:	ssl vpn	scope:	eq	version:	2.5.0.56	Trust: 0.8
vendor:	sonicwall	model:	ssl vpn	scope:	eq	version:	2.5	Trust: 0.6
vendor:	sonicwall	model:	ssl vpn	scope:	eq	version:	2.1	Trust: 0.6
vendor:	sonicwall	model:	ssl vpn	scope:	eq	version:	1.33	Trust: 0.3
vendor:	sonicwall	model:	ssl vpn	scope:	ne	version:	2002.1	Trust: 0.3
vendor:	sonicwall	model:	ssl vpn	scope:	ne	version:	2.5	Trust: 0.3

sources: CERT/CC: VU#298521 // BID: 26288 // JVNDB: JVNDB-2007-006245 // NVD: CVE-2007-5603 // CNNVD: CNNVD-200711-041

CVSS

SEVERITY

CVSSV2

CVSSV3

NVD:	CVE-2007-5603
value:	HIGH
Trust: 1.8
CARNEGIE MELLON:	VU#298521
value:	25.92
Trust: 0.8
CNNVD:	CNNVD-200711-041
value:	CRITICAL
Trust: 0.6
VULHUB:	VHN-28965
value:	HIGH
Trust: 0.1

NVD:
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	FALSE
obtainAllPrivilege:	FALSE
obtainUserPrivilege:	FALSE
obtainOtherPrivilege:	FALSE
userInteractionRequired:	FALSE
version:	2.0
Trust: 1.0
NVD:	CVE-2007-5603
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-28965
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CERT/CC: VU#298521 // VULHUB: VHN-28965 // JVNDB: JVNDB-2007-006245 // NVD: CVE-2007-5603 // CNNVD: CNNVD-200711-041

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.9

sources: VULHUB: VHN-28965 // JVNDB: JVNDB-2007-006245 // NVD: CVE-2007-5603

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200711-041

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-200711-041

CONFIGURATIONS

sources: NVD: CVE-2007-5603

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-28965

PATCH

title:

SSL-VPN

url:

http://o-www.sonicwall.com/us/en/products/secure_remote_access.html

Trust: 0.8

sources: JVNDB: JVNDB-2007-006245

EXTERNAL IDS

db:	CERT/CC	id:	VU#298521	Trust: 3.7
db:	NVD	id:	CVE-2007-5603	Trust: 2.8
db:	SECUNIA	id:	27469	Trust: 2.7
db:	BID	id:	26288	Trust: 2.0
db:	EXPLOIT-DB	id:	4594	Trust: 1.7
db:	SREASON	id:	3342	Trust: 1.7
db:	SECTRACK	id:	1018891	Trust: 1.7
db:	VUPEN	id:	ADV-2007-3696	Trust: 1.7
db:	JVNDB	id:	JVNDB-2007-006245	Trust: 0.8
db:	MILW0RM	id:	4594	Trust: 0.6
db:	BUGTRAQ	id:	20071101 SEC CONSULT SA-20071101-0 :: MULTIPLE VULNERABILITIES IN SONICWALLSSL-VPN CLIENT	Trust: 0.6
db:	XF	id:	38220	Trust: 0.6
db:	CNNVD	id:	CNNVD-200711-041	Trust: 0.6
db:	EXPLOIT-DB	id:	16616	Trust: 0.1
db:	PACKETSTORM	id:	83233	Trust: 0.1
db:	SEEBUG	id:	SSVID-71130	Trust: 0.1
db:	VULHUB	id:	VHN-28965	Trust: 0.1
db:	PACKETSTORM	id:	60650	Trust: 0.1

sources: CERT/CC: VU#298521 // VULHUB: VHN-28965 // BID: 26288 // JVNDB: JVNDB-2007-006245 // PACKETSTORM: 60650 // NVD: CVE-2007-5603 // CNNVD: CNNVD-200711-041

REFERENCES

url:	http://www.kb.cert.org/vuls/id/298521	Trust: 2.9
url:	http://www.sec-consult.com/fileadmin/advisories/20071101-0_sonicwall_multiple.txt	Trust: 2.6
url:	http://www.securityfocus.com/bid/26288	Trust: 1.7
url:	http://www.kb.cert.org/vuls/id/wdon-78k56m	Trust: 1.7
url:	http://www.sec-consult.com/303.html	Trust: 1.7
url:	http://www.securitytracker.com/id?1018891	Trust: 1.7
url:	http://secunia.com/advisories/27469	Trust: 1.7
url:	http://securityreason.com/securityalert/3342	Trust: 1.7
url:	http://www.securityfocus.com/archive/1/483097/100/0/threaded	Trust: 1.1
url:	https://www.exploit-db.com/exploits/4594	Trust: 1.1
url:	http://www.vupen.com/english/advisories/2007/3696	Trust: 1.1
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/38220	Trust: 1.1
url:	http://www.sonicwall.com/us/643.htm	Trust: 0.9
url:	http://secunia.com/advisories/27469/	Trust: 0.9
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-5603	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-5603	Trust: 0.8
url:	/archive/1/483097	Trust: 0.6
url:	http://xforce.iss.net/xforce/xfdb/38220	Trust: 0.6
url:	http://www.securityfocus.com/archive/1/archive/1/483097/100/0/threaded	Trust: 0.6
url:	http://www.milw0rm.com/exploits/4594	Trust: 0.6
url:	http://www.frsirt.com/english/advisories/2007/3696	Trust: 0.6
url:	http://support.microsoft.com/kb/240797	Trust: 0.3
url:	http://www.sonicwall.com	Trust: 0.3
url:	http://secunia.com/secunia_security_advisories/	Trust: 0.1
url:	http://secunia.com/product/9056/	Trust: 0.1
url:	http://secunia.com/product/16417/	Trust: 0.1
url:	http://secunia.com/product/16416/	Trust: 0.1
url:	http://corporate.secunia.com/how_to_buy/38/vi/?ref=secadv	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/about_secunia_advisories/	Trust: 0.1

sources: CERT/CC: VU#298521 // VULHUB: VHN-28965 // BID: 26288 // JVNDB: JVNDB-2007-006245 // PACKETSTORM: 60650 // NVD: CVE-2007-5603 // CNNVD: CNNVD-200711-041

CREDITS

Bernhard Mueller research@sec-consult.com

Trust: 0.6

sources: CNNVD: CNNVD-200711-041

SOURCES

db:	CERT/CC	id:	VU#298521
db:	VULHUB	id:	VHN-28965
db:	BID	id:	26288
db:	JVNDB	id:	JVNDB-2007-006245
db:	PACKETSTORM	id:	60650
db:	NVD	id:	CVE-2007-5603
db:	CNNVD	id:	CNNVD-200711-041

LAST UPDATE DATE

2023-12-18T12:58:59.309000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#298521	date:	2009-04-13T00:00:00
db:	VULHUB	id:	VHN-28965	date:	2018-10-15T00:00:00
db:	BID	id:	26288	date:	2007-11-15T00:37:00
db:	JVNDB	id:	JVNDB-2007-006245	date:	2012-12-20T00:00:00
db:	NVD	id:	CVE-2007-5603	date:	2018-10-15T21:45:44.643
db:	CNNVD	id:	CNNVD-200711-041	date:	2007-11-06T00:00:00

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#298521	date:	2007-11-02T00:00:00
db:	VULHUB	id:	VHN-28965	date:	2007-11-05T00:00:00
db:	BID	id:	26288	date:	2007-11-01T00:00:00
db:	JVNDB	id:	JVNDB-2007-006245	date:	2012-12-20T00:00:00
db:	PACKETSTORM	id:	60650	date:	2007-11-03T02:36:00
db:	NVD	id:	CVE-2007-5603	date:	2007-11-05T18:46:00
db:	CNNVD	id:	CNNVD-200711-041	date:	2007-11-05T00:00:00