A Disturbing Trend in Network Security

In the year 2025, one can't shake the feeling that there's an unspoken agreement in the tech industry—every network appliance must boast at least one easily avoidable HTTP header parsing flaw, preferably one that's accessible before authentication. If this is indeed the case, SonicWall's SMA100 series has certainly hit the mark and may even earn itself a bonus.

Unearthing Legacy Vulnerabilities

Our investigation began with examining SonicWall’s recent security flaws that had attracted attention from advanced persistent threat (APT) groups. Amidst a haze of erroneous headers and reverse proxy complexities, we uncovered vulnerabilities that seem to belong to a bygone era of C programming.

While we recognize that exploiting these vulnerabilities can be challenging—if not impossible in some instances—the mere existence of pre-authentication stack and heap overflows triggered by malformed HTTP headers is frankly disheartening. 2025 has brought us to this juncture.

Exploring the Flaws

This article will detail three vulnerabilities we discovered in the SonicWall SMA100 series, all confirmed against firmware version 10.2.1.15: - **CVE-2025-40596**: Stack-based buffer overflow (pre-auth) - **CVE-2025-40597**: Heap-based buffer overflow (pre-auth) - **CVE-2025-40598**: Reflected XSS (pre-auth, user interaction required) Buckle up as we dive into the nitty-gritty.

CVE-2025-40596: The Stack-Based Buffer Overflow

While examining the httpd binary responsible for managing incoming HTTP requests, we stumbled upon a concerning stack-based buffer overflow. Even IDA struggled to decompile the vulnerable function.

The httpd binary includes logic to map incoming requests. If a URI starts with */__api__/*, the execution triggers a logic sequence that inadvertently opens the door to buffer overflow.

Here’s how it unfolds: the binary compares the incoming URI against the string */__api__/* using strncasecmp. When a match is detected, it jumps to a section of code that employs the notorious sscanf function to parse user input.

The function is designed to process URIs that look like this: https://x.x.x.x/__api__/v1/login However, it copies user input into an 800-byte stack buffer without any boundary checks. For example, simply sending a request like this can trigger the overflow: ```python import requests; requests.get("https://x.x.x.x/__api__/v1/"+'A'*3000,verify=False) ```

CVE-2025-40597: The Heap-Based Buffer Overflow

As if one vulnerability wasn’t enough, we stumbled onto another while analyzing the httpd binary. Within a shared object named mod_httprp.so, which handles HTTP parsing, we uncovered an out-of-bounds heap write initiated during the parsing of the *Host:* header.

What makes this flaw particularly head-scratching is that it involves the 'safe' version of sprintf, yet someone misconfigured it to omit bounds-checking by passing an invalid size argument.

By doing this, the function continues copying until it hits a null byte—potentially overwriting adjacent heap memory and compromising security. You can replicate this issue with a simple command: ```python import requests; requests.get("https://x.x.x.x/__api__", headers={'Host':'A'*750}, verify=False) ```

CVE-2025-40598: Reflected Cross-Site Scripting (XSS) Vulnerability

Finally, while reviewing CGI endpoints, we stumbled upon a classic reflected XSS vulnerability. Navigating to the radiusChallengeLogin endpoint and injecting an XSS payload via the state parameter activates this flaw, since no filtering is applied.

Despite the SMA100 SSLVPN offering a Web Application Firewall (WAF) feature, it appears disabled at management interfaces, allowing even basic attack vectors to succeed. For instance: https://x.x.x.x/cgi-bin/radiusChallengeLogin?portalName=portal1&status=needchallenge&state="><img/src=x+onerror=alert`1`> What’s the outcome? An alert pops up: a nostalgic throwback to vulnerabilities past.

Conclusion: Why Cybersecurity Is Key

This tumultuous look into SonicWall's SMA100 vulnerabilities highlights the persistent challenges within cybersecurity. The findings serve not just as a report but as a reminder of how critical it is to remain vigilant, continuously advocate for robust coding practices, and understand that even the best security measures have their limitations.