Summary
25 January Update
Researchers found attackers attempting to exploit CVE-2021-20038, a critical unauthenticated stack-based overflow vulnerability affecting SonicWall SMA 100 Series products. Attackers appear to be attempting to exploit the vulnerability in the wild, as well as trying to conduct password spraying attacks against known SonicWall default passwords.
While attacks are ongoing in the wild, SonicWall released a statement saying it is currently unaware of any successful attacks. Still, organizations should ensure they are mitigating attacks by applying the patch for CVE-2021-20038 which SonicWall released in December 2021, as well as updating default SonicWall product passwords.
Original Content
SonicWall released a security advisory detailing a number of vulnerabilities affecting its SMA 100 Series products, including SMA 200, 210, 400, 410, and 500v appliances. In total, the advisory details two critical vulnerabilities, four high-risk vulnerabilities, and two medium-risk vulnerabilities.
The critical vulnerabilities are:
- CVE-2021-20038 (CVSS 9.8), an unauthenticated stack-based buffer overflow vulnerability
- CVE-2021-20045 (CVSS 9.4), which are multiple unauthenticated file explorer heap-based and stack-based overflow vulnerabilities
The high-risk vulnerabilities are:
- CVE-2021-20043 (CVSS 8.8), a getBookmarks heap-based overflow vulnerability
- CVE-2021-20041 (CVSS 7.5), an unauthenticated CPU exhaustion vulnerability
- CVE-2021-20039 (CVSS 7.2), an authenticated command injection as root vulnerability
- CVE-2021-20044 (CVSS 7.2), a post-authentication remote code execution vulnerability
SonicWall is currently unaware of any exploitation of these vulnerabilities in the wild.
Analysis
Affected Products and Versions
The vulnerabilities affect SMA 100 series products, including SMA 200, 210, 400, 410, and 500v appliances. The majority of these vulnerabilities also affect SMA 100 series appliances that have WAF enabled. A full matrix of impacted firmware and fixed firmware can be found here .
Potential Impact
Successful exploitation of the most severe of these vulnerabilities could lead to arbitrary code execution. This could allow attackers to install programs; view, modify, or delete data; or create new user accounts with full permissions. Additionally, in July 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) warned of attackers targeting known and previously patched vulnerabilities in SonicWall SMA 100 appliances to potentially launch ransomware attacks.
Recommendations
SonicWall has released updated firmware for the affected appliances and is urging organizations to immediately patch the appliances.Recommends organizations apply the patches as soon as possible after conducting the appropriate testing.
References
https://www.sonicwall.com/support/product-notification/product-security-notice-sma-100-series-vulnerability-patches-q4-2021/211201154715443/https://www.cisa.gov/uscert/ncas/current-activity/2021/07/15/ransomware-risk-unpatched-eol-sonicwall-sra-and-sma-8x-products
https://www.cisa.gov/uscert/ncas/current-activity/2021/12/08/sonicwall-releases-security-advisory-sma-100-series-appliances
https://www.bleepingcomputer.com/news/security/attackers-now-actively-targeting-critical-sonicwall-rce-bug/
https://twitter.com/buffaloverflow/status/1485671824725786633