SNS: Open redirect on the captive portal

Advisory ID CVE Number Date discovered Severity Advisory revision
STORM-2020-001 CVE-2020-8430 01/09/2020 medium v4

Vulnerability details

An attacker can steal a firewall administrator password, by redirecting him to a fake authentication page.

 

Stormshield is pleased to thank DIGITEMIS for reporting this issue under responsible disclosure.

Impacted products

ProductsSeverityDetail
Stormshield Network Security medium SNS is impacted

Revisions

Version Date Description
v1 19/02/2020 Initial release
v2 24/02/2020 update workaround
v3 26/02/2020 fixed typo
V4  09/10/2020 Precision about Digitemis

 



Stormshield Network Security

CVSS v2 Overall Score: 5.9      

Analysis

Impacted version

An attacker can craft a URL to the captive portal, containing a redirection link to its own domain. And send it to an administrator, in order to steal its credentials information.

  • SNS 3.0.0 to 3.7.10
  • SNS 3.8.0 to 3.10.0
  • SNS 4.0.0 to 4.0.1

Workaround solution

Solution

If the captive portal is enabled you can temporarily disable it until a fix version is installed.

If the captive portal is disabled (it is the case in the default configuration) the UTM is not impacted.

 

The 3.7.11, 3.10.1 and 4.0.2 updates fix this vulnerability.



Access vector Access complexity Authentication Confidentiality impact Integrity impact Availability impact
Network Medium None Complete None None
CVSS Base score: 7.1 CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:N/A:N)
Exploitability Remediation Level Report Confidence
Functionnal exploits exists Official fix Confirmed
CVSS Temporal score: 5.9 CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:N/A:N/E:F/RL:OF/RC:C)
Collateral Damage Potential Target Distribution
None High [76-100%]
CVSS Environmental score: 5.9 CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:N/A:N/E:F/RL:OF/RC:C/CDP:N/TD:H/CR:ND/IR:ND/AR:ND)