CVE-2021-28096 in SNSinfo

Summary

by MITRE • 01/27/2022

An issue was discovered in Stormshield SNS before 4.2.3 (when the proxy is used). An attacker can saturate the proxy connection table. This would result in the proxy denying any new connections.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 01/29/2022

The vulnerability identified as CVE-2021-28096 affects Stormshield Security Network Shield (SNS) versions prior to 4.2.3 when the proxy functionality is enabled. This issue represents a significant denial of service vulnerability that specifically targets the proxy connection management mechanism within the security appliance. The flaw allows malicious actors to exploit the proxy connection table by saturating it with excessive connections, ultimately leading to complete service disruption for legitimate users. The vulnerability is particularly concerning because it directly impacts the core functionality of the proxy service, which is essential for network traffic filtering and security enforcement.

The technical implementation of this vulnerability stems from inadequate connection table management and insufficient rate limiting mechanisms within the Stormshield SNS proxy component. When the proxy is actively processing connections, it maintains a finite table structure to track active sessions and their associated metadata. The flaw occurs when an attacker systematically establishes multiple concurrent connections without proper termination or connection reuse mechanisms, causing the table to reach its maximum capacity. This type of vulnerability aligns with CWE-400, which categorizes unchecked resource consumption as a critical weakness in software design. The proxy connection table exhaustion represents a classic resource exhaustion attack pattern that can be executed through automated tools or scripts designed to rapidly establish connections.

From an operational impact perspective, this vulnerability creates a severe disruption to network services by completely blocking new proxy connections from being established. Once the connection table is saturated, legitimate users attempting to access network resources through the proxy will experience immediate connection failures, effectively rendering the security appliance unable to perform its intended filtering and monitoring functions. The attack can be executed with minimal resources and technical expertise, making it particularly dangerous in production environments where continuous network availability is critical. This vulnerability directly impacts the availability component of the CIA triad and can be classified under the ATT&CK technique T1499.1 for network denial of service attacks. Organizations relying on Stormshield SNS for network security may find their entire proxy infrastructure compromised, potentially exposing their network to direct attacks or bypassing security controls.

The recommended mitigation strategy involves upgrading to Stormshield SNS version 4.2.3 or later, which includes patches addressing the proxy connection table management issues. Network administrators should also implement additional monitoring and alerting mechanisms to detect unusual connection patterns that might indicate an attempted exploitation. Configuration changes such as implementing connection rate limiting, connection timeouts, and connection pooling optimizations can provide additional defense-in-depth measures. The vulnerability demonstrates the importance of proper resource management and connection handling in network security appliances, as inadequate implementation of these controls can create significant attack vectors. Organizations should also consider implementing network segmentation and access controls to limit potential impact if such an attack occurs, while maintaining regular security assessments to identify similar vulnerabilities in other network components.

Reservation

03/08/2021

Disclosure

01/27/2022

Moderation

accepted

CPE

ready

EPSS

0.00889

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!