Lack of check with SSL authentication on the SNS web interface

Advisory ID CVE Number Date discovered Severity Advisory revision
STORM-2019-029 08/06/2019 medium v1

Vulnerability details

It is possible to impersonate an administrator on the SNS web admin interface under certain circumstances.

Impacted products

Stormshield Network Security medium impacted


Version Date Description
v1  12/18/2020 Initial release
v2  03/01/2021 Update “Solution” section

Stormshield Network Security

CVSS v2 Overall Score: 5.1      


Impacted version

It is possible to impersonate an administrator on the SNS web-administration interface under certain circumstances.


If the SSL method of authentication is configured with a CA and an administrator (stored in a LDAP directory) is allowed to authenticate on the SNS then an attacker that have this CA can forge a valid certificate to impersonate the administrator by guessing partial information of a legitimate administrator.

  • SNS 2.0.0 to 2.7.7
  • SNS 3.0.0 to 3.7.14
  • SNS 3.8.0 to 3.11.2
  • SNS 4.0.0 to 4.1.2

Workaround solution


No workaround

The vulnerability is fixed in versions:

  • SNS 2.7.8
  • SNS 3.7.15
  • SNS 3.11.3
  • SNS 4.1.3

Access vector Access complexity Authentication Confidentiality impact Integrity impact Availability impact
Local High Single Complete Complete Complete
CVSS Base score: 6 CVSS Vector: (AV:L/AC:H/Au:S/C:C/I:C/A:C)
Exploitability Remediation Level Report Confidence
Unproven that exploit exists Unavailable Confirmed
CVSS Temporal score: 5.1 CVSS Vector: (AV:L/AC:H/Au:S/C:C/I:C/A:C/E:U/RL:U/RC:C)
Collateral Damage Potential Target Distribution
None High [76-100%]
CVSS Environmental score: 5.1 CVSS Vector: (AV:L/AC:H/Au:S/C:C/I:C/A:C/E:U/RL:U/RC:C/CDP:N/TD:H/CR:ND/IR:ND/AR:ND)