CVE-2018-9867

EUVD-2018-21459

19.02.2019, 21:29

In SonicWall SonicOS, administrators without full permissions can download imported certificates. Occurs when administrators who are not in the SonicWall Administrators user group attempt to download imported certificates. This vulnerability affected SonicOS Gen 5 version 5.9.1.10 and earlier, Gen 6 version 6.2.7.3, 6.5.1.3, 6.5.2.2, 6.5.3.1, 6.2.7.8, 6.4.0.0, 6.5.1.8, 6.0.5.3-86o and SonicOSv 6.5.0.2-8v_RC363 (VMWARE), 6.5.0.2.8v_RC367 (AZURE), SonicOSv 6.5.0.2.8v_RC368 (AWS), SonicOSv 6.5.0.2.8v_RC366 (HYPER_V).

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 5%

Affected Products (NVD)

Vendor	Product	Version
sonicwall	sonicos	5.0.0.0 ≤ 𝑥 ≤ 5.9.1.10
sonicwall	sonicos	6.0.5.3-86o
sonicwall	sonicos	6.2.7.3
sonicwall	sonicos	6.2.7.8
sonicwall	sonicos	6.4.0.0
sonicwall	sonicos	6.5.1.3
sonicwall	sonicos	6.5.1.8
sonicwall	sonicos	6.5.2.2
sonicwall	sonicos	6.5.3.1
sonicwall	sonicosv	6.5.0.2-8v_rc363
sonicwall	sonicosv	6.5.0.2.8v_rc366:v_rc366
sonicwall	sonicosv	6.5.0.2.8v_rc367:v_rc367
sonicwall	sonicosv	6.5.0.2.8v_rc368:v_rc368

𝑥

= Vulnerable software versions

Common Weakness Enumeration

References

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0017

https://www.tenable.com/security/research/tra-2019-08

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0017

https://www.tenable.com/security/research/tra-2019-08