SonicWall SSL-VPN 8.0.0.0 RCE via ShellShock exploit

Description

SonicWall SSL-VPN products running version 8.0.0.0 and earlier include an outdated version of Bash that is vulnerable to the ShellShock vulnerability (CVE-2014-6271). This flaw allows attackers to inject and execute arbitrary commands through specially crafted HTTP requests to the /cgi-bin/jarrewrite.sh CGI endpoint without requiring authentication.

This vulnerability was addressed in SMA version 8.0.0.4 released in 2015. Versions 9.x and 10.x are not affected by this specific vulnerability.

Remediation

Take the following steps to remediate this vulnerability:

Immediate Actions:

1. Identify all SonicWall SSL-VPN appliances running version 8.0.0.0 or earlier in your environment
2. If immediate patching is not possible, implement network-level access controls to restrict access to the management interface to trusted IP addresses only
3. Monitor logs for suspicious requests to /cgi-bin/jarrewrite.sh or other CGI endpoints

1. Upgrade affected SonicWall SMA appliances to version 8.0.0.4 or later, or preferably to the latest supported version (9.x or 10.x series)
2. After upgrading, verify the patch was successful by checking the firmware version in the administration console
3. Review system logs and conduct a security assessment to determine if the system was previously compromised
4. Rotate all credentials and certificates if there is any indication of prior exploitation

References

Related Vulnerabilities