Priority: High
Executive Summary:
SonicWall has verified and patched vulnerabilities of critical and medium severity (CVSS 5.3-9.8) in SMA 100 series appliances, which include SMA 200, 210, 400, 410 and 500v products. SMA 100 series appliances with WAF enabled are also impacted by the majority of these vulnerabilities. A critical severity vulnerability (CVSS 9.8) in SMA 100 appliances, which includes SMA 200, 210, 400, 410 and 500v could allow a remote unauthenticated attacker to cause Stack-based Buffer Overflow and would result in code execution as the ‘nobody’ user in the SMA100 appliance. It was noticed that the SMA 100 users with licensed/enabled WAF are impacted by this vulnerability. The Vulnerability is due to the SonicWall SMA SSLVPN Apache httpd server GET method of mod_cgi module environment variables use a single stack-based buffer using `strcat`. This allows remote attacker to cause Stack-based Buffer Overflow and would result in code execution. There is no evidence that this vulnerability is being exploited in the wild.
CVSS 9.8 – CVE-2021-20038: Unauthenticated Stack-based Buffer Overflow
A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server’s mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a ‘nobody’ user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2- 24sv and earlier versions.
https://attackerkb.com/topics/cve-2021-20038
CVSS – 7.2 CVE-2021-20039: Authenticated Command Injection Vulnerability as Root
Improper neutralisation of special elements in the SMA100 management interface ‘/cgi-bin/viewcert’ POST http method allows a remote authenticated attacker to inject arbitrary commands as a ‘nobody’ user. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.
https://attackerkb.com/topics/9szJhq46lw/cve-2021-20039/rapid7-analysis
CVSS 6.5 – CVE-2021-20040 Unauthenticated File Upload Path Traversal Vulnerability
A relative path traversal vulnerability in the SMA100 upload function allows a remote unauthenticated attacker to upload crafted web pages or files as a ‘nobody’ user. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.
https://attackerkb.com/topics/cve-2021-20040
CVSS 7.5 – CVE-2021-20041: Unauthenticated CPU Exhaustion Vulnerability
An unauthenticated and remote adversary can consume all of the device’s CPU due to crafted HTTP requests sent to SMA100 /fileshare/sonicfiles/sonicfiles resulting in a loop with unreachable exit condition. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.
https://attackerkb.com/topics/cve-2021-20041
CVSS 6.5 – CVE-2021-20042: Unauthenticated “Confused Deputy” Vulnerability
An unauthenticated remote attacker can use SMA 100 as an unintended proxy or intermediary undetectable proxy to bypass firewall rules. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.
https://attackerkb.com/topics/cve-2021-20042
Affected Products and versions:
SonicWall Secure Mobile Access (SMA) 100 series of devices, which includes SMA 200, 210, 400, 410, and 500v. Impacted versions 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv
Prevent:
To safeguard your corporate network against the exploits mentioned in this Threat Horizon, ITC recommends installing the latest updates released by SonicWall. As these devices are designed to be exposed to the internet, the only effective remediation for these issues is to apply the vendor-supplied updates.
Customers should act quickly to apply these fixes, which are outlined in the following section and available at the URLs cited in this bulletin’s sources.
React:
If the SonicWall platform is being used in your organisation, then a vulnerability scan would identify vulnerable devices and the current exposure. ITC’s managed Vulnerability Intelligence customers will have scans carried out to identify these vulnerabilities using Qualys.
ITC’s Sentinel SIEM service actively monitors for indications of attackers who may leverage vulnerabilities such as these to gain access to customer networks and our analysts carry out proactive threat hunting to search for related indicators of compromise.
Sources:
[1] https://www.rapid7.com/blog/post/2022/01/11/cve-2021-20038-42
[2] https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026
[3] https://www.bleepingcomputer.com/news/security/sonicwall
[4] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20038
