CVE-2021-28127
📋 TL;DR
This vulnerability in Stormshield Network Security (SNS) firewalls allows brute-force attacks against authentication mechanisms. Attackers can attempt to guess credentials repeatedly, potentially gaining unauthorized access. All organizations using affected SNS versions are at risk.
💻 Affected Systems
- Stormshield Network Security (SNS)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to the firewall, enabling complete network compromise, data exfiltration, and lateral movement.
Likely Case
Attackers gain limited access to firewall management interfaces, potentially modifying rules or extracting configuration data.
If Mitigated
Attack attempts are detected and blocked by rate limiting or account lockout mechanisms, with no successful authentication.
🎯 Exploit Status
Brute-force attacks require no authentication and can be automated with common tools like Hydra or Metasploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.2.2 and later
Vendor Advisory: https://advisories.stormshield.eu/2021-006
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download and install SNS version 4.2.2 or later from Stormshield portal. 3. Apply the update through the web interface or CLI. 4. Verify the update completed successfully.
🔧 Temporary Workarounds
Implement rate limiting
allConfigure firewall to limit authentication attempts per IP address
Configure via web interface: Security > Authentication > Rate Limiting
Enable account lockout
allSet account lockout policies after failed attempts
Configure via CLI: set auth lockout-threshold 5 lockout-duration 300
🧯 If You Can't Patch
- Implement network segmentation to restrict access to management interfaces
- Deploy intrusion prevention systems (IPS) to detect and block brute-force patterns
🔍 How to Verify
Check if Vulnerable:
Check SNS version via web interface (Dashboard > System Information) or CLI command: show versionCheck Version:
show versionVerify Fix Applied:
Confirm version is 4.2.2 or higher and verify rate limiting/account lockout is enabled📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts from single IP
- Authentication logs showing pattern of failed logins
Network Indicators:
- High volume of authentication requests to firewall management ports
- Traffic patterns consistent with automated credential guessing
SIEM Query:
source="stormshield" (event_type="authentication_failed") | stats count by src_ip | where count > 10