From c7fc202ef16f264d2214b8e948b6267fa60bf036 Mon Sep 17 00:00:00 2001 From: GwanYeong Kim Date: Mon, 18 Oct 2021 08:24:29 +0900 Subject: [PATCH 1/3] Create CVE-2021-20031.yaml A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack Signed-off-by: GwanYeong Kim --- cves/2021/CVE-2021-20031.yaml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 cves/2021/CVE-2021-20031.yaml diff --git a/cves/2021/CVE-2021-20031.yaml b/cves/2021/CVE-2021-20031.yaml new file mode 100644 index 0000000000..081be48518 --- /dev/null +++ b/cves/2021/CVE-2021-20031.yaml @@ -0,0 +1,31 @@ +id: CVE-2021-20031 + +info: + name: Sonicwall SonicOS 7.0 - Host Header Injection + author: gy741 + severity: medium + description: | + A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2021-20031 + - https://www.exploit-db.com/exploits/50414 + tags: cve,cve2021,sonicwall + +requests: + - raw: + - | + GET / HTTP/1.1 + Host: {{randstr}}.tld + + matchers-condition: and + matchers: + - type: word + words: + - 'https://{{randstr}}.tld/auth.html' + - 'Please be patient as you are being re-directed' + part: body + condition: and + + - type: status + status: + - 200 From 6346c6e93a063a4115039457d68bcadef773c6ae Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Mon, 18 Oct 2021 20:52:36 +0530 Subject: [PATCH 2/3] Update CVE-2021-20031.yaml --- cves/2021/CVE-2021-20031.yaml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/cves/2021/CVE-2021-20031.yaml b/cves/2021/CVE-2021-20031.yaml index 081be48518..e54a086b78 100644 --- a/cves/2021/CVE-2021-20031.yaml +++ b/cves/2021/CVE-2021-20031.yaml @@ -3,13 +3,15 @@ id: CVE-2021-20031 info: name: Sonicwall SonicOS 7.0 - Host Header Injection author: gy741 - severity: medium - description: | - A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack + severity: low + description: A Host Header Injection vulnerability may allow an attacker to spoof a particular Host header, allowing the attacker to render arbitrary links that point to a malicious website with poisoned Host header webpages. An issue was discovered in Sonicwall NAS, SonicWall Analyzer version 8.5.0 (may be affected on other versions too). The values of the 'Host' headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection attack and also the affected hosts can be used for domain fronting. This means affected hosts can be used by attackers to hide behind during various other attack reference: - - https://nvd.nist.gov/vuln/detail/CVE-2021-20031 - https://www.exploit-db.com/exploits/50414 - tags: cve,cve2021,sonicwall + - https://nvd.nist.gov/vuln/detail/CVE-2021-20031 + metadata: + google-dork: inurl:"auth.html" intitle:"SonicWall" + google-dork: intitle:"SonicWall Analyzer Login" + tags: cve,cve2021,sonicwall,redirect requests: - raw: From 9e37e202bdf3d2820814c096ebb9b52124e7fa80 Mon Sep 17 00:00:00 2001 From: Prince Chaddha Date: Mon, 18 Oct 2021 20:55:47 +0530 Subject: [PATCH 3/3] Update CVE-2021-20031.yaml --- cves/2021/CVE-2021-20031.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/cves/2021/CVE-2021-20031.yaml b/cves/2021/CVE-2021-20031.yaml index e54a086b78..97ff54f001 100644 --- a/cves/2021/CVE-2021-20031.yaml +++ b/cves/2021/CVE-2021-20031.yaml @@ -9,8 +9,7 @@ info: - https://www.exploit-db.com/exploits/50414 - https://nvd.nist.gov/vuln/detail/CVE-2021-20031 metadata: - google-dork: inurl:"auth.html" intitle:"SonicWall" - google-dork: intitle:"SonicWall Analyzer Login" + google-dork: inurl:"auth.html" intitle:"SonicWall" tags: cve,cve2021,sonicwall,redirect requests: