Login Sign Up

CVE-2021-28962

7.2 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows read-only administrators in Stormshield Network Security (SNS) firewalls to escalate privileges via CLI commands, gaining higher-level administrative access. It affects SNS firewall appliances running versions before 4.2.2. Organizations using affected SNS firewalls with read-only administrator accounts are at risk.

💻 Affected Systems

Products:
  • Stormshield Network Security (SNS)
Versions: All versions before 4.2.2
Operating Systems: Stormshield proprietary OS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires read-only administrator account access to exploit. All SNS appliances with affected software versions are vulnerable.

📦 What is this software?

Stormshield Network Security by Stormshield

View all CVEs affecting Stormshield Network Security →

Stormshield Network Security by Stormshield

View all CVEs affecting Stormshield Network Security →

Stormshield Network Security by Stormshield

View all CVEs affecting Stormshield Network Security →

Stormshield Network Security by Stormshield

View all CVEs affecting Stormshield Network Security →

⚠️ Risk & Real-World Impact

🔴

Worst Case

A read-only administrator gains full administrative control over the firewall, enabling them to modify firewall rules, disable security policies, intercept traffic, or compromise the entire network perimeter.

🟠

Likely Case

Read-only administrators escalate to full administrative privileges, potentially modifying configurations, bypassing security controls, or accessing sensitive network data.

🟢

If Mitigated

With proper access controls and monitoring, unauthorized privilege escalation attempts are detected and blocked before causing significant damage.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated read-only administrator access. The vulnerability involves specific CLI commands that allow privilege escalation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.2.2 or later

Vendor Advisory: https://advisories.stormshield.eu/2021-007/

Restart Required: Yes

Instructions:

1. Backup current configuration. 2. Download SNS version 4.2.2 or later from Stormshield portal. 3. Upload and install the update via web interface or CLI. 4. Reboot the appliance. 5. Verify successful update and restored functionality.

🔧 Temporary Workarounds

Restrict CLI Access

all

Limit CLI access for read-only administrators to prevent exploitation of vulnerable commands.

Configure via SNS web interface: Administration > Users > Edit read-only admin > Restrict CLI access

🧯 If You Can't Patch

  • Immediately audit and monitor all read-only administrator account activities for suspicious privilege escalation attempts.
  • Consider temporarily disabling or restricting read-only administrator accounts until patching is possible.

🔍 How to Verify

Check if Vulnerable:

Check SNS version via web interface (Dashboard > System Information) or CLI command 'show version'. If version is below 4.2.2, the system is vulnerable.

Check Version:

show version

Verify Fix Applied:

After updating, verify version is 4.2.2 or higher. Test with a read-only administrator account that CLI privilege escalation commands no longer work.

📡 Detection & Monitoring

Log Indicators:

  • Unusual CLI command execution by read-only administrators
  • Privilege escalation attempts in audit logs
  • Configuration changes from read-only accounts

Network Indicators:

  • Unexpected firewall rule modifications
  • Changes in traffic filtering patterns

SIEM Query:

source="sns_firewall" AND (event_type="cli_command" AND user_role="readonly_admin")

📊 Metadata

CVE ID: CVE-2021-28962
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Published: January 31, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON