Skip to content
Get A Demo
Free SIEM
    December 9, 2021

    Critical Bugs Discovered In SonicWall SMA 100 Series Appliances

    What Happened?

    Multiple bugs were discovered in SonicWall’s Secure Mobile Access (SMA) 100 Series VPN appliances. These bugs range from medium to critical, with more severe flaws enabling an unauthenticated user to execute code as a “nobody” user.

    These vulnerabilities affect SonicWall SMA 200, 210, 400, 410, and 500v appliances even with the web application firewall (WAF) enabled. The SMA 100 Series is intended to provide secure access to data center, cloud, and SaaS resources from a single portal.

    A summary of the discovered bugs are below: 

    CVE Description CVSS Score Who Reported It?
    CVE-2021-20038 Unauthenticated Stack-based Buffer Overflow 9.8 High Rapid7
    CVE-2021-20039 Authenticated Command Injection Vulnerability as Root 7.2 High Rapid7
    CVE-2021-20040 Unauthenticated File Upload Path Traversal Vulnerability 6.5 Medium Rapid7, NCCGroup
    CVE-2021-20041 Unauthenticated CPU Exhaustion Vulnerability 7.5 High Rapid7
    CVE-2021-20042 Unauthenticated “Confused Deputy” Vulnerability 6.3 Medium Rapid7
    CVE-2021-20043 getBookmarks Heap-based Buffer Overflow 8.8 High NCCGroup
    CVE-2021-20044 Post-Authentication Remote Code Execution (RCE) 7.2 High NCCGroup
    CVE-2021-20045 Multiple Unauthenticated File Explorer Heap-based and Stack-based Buffer Overflows 9.4 High NCCGroup

    How Bad is This?

    There are multiple bugs in the SonicWall SMA 100 series appliances, and they all range in severity. Less severe bugs enable threat actors to upload files to a directory in the appliance after exploiting the bug. While there are no public exploits available yet for these bugs, it is only a matter of time until there is.

    In April 2021, there were reports of a ransomware variant FiveHands using a vulnerability in the SMA product to deploy attacks.

    However the more noteworthy bugs, which include CVE-2021-20038, CVE-2021-20039 and CVE-2021-20045, have serious consequences. 

    The most severe is CVE-2021-20038, which was rated a CVSS score of 9.8 and enables a threat actor to enter as root and perform actions such as enabling and disabling security policies and access privileges. CVE-2021-20045 is similar to CVE-2021-20038 in that it is a group of heap- and stack-based buffer overflow bugs that allow remote code execution (RCE) as root.

    CVE-2021-20039 is perhaps the most dangerous if left unpatched because it enables an authenticated threat actor to take over remote devices by injecting arbitrary commands as a root user.

    What Should I Do?

    We recommend that you immediately update your SMA 100 appliances with the most recent patch. There have been reports of this patch causing issues with registration after application of the patch. We recommend backing up and saving configuration previous to patching.

    If you cannot patch, you should disable access from the internet to your SMA 100 until you can.

    How Blumira Can Help

    Blumira detects and alerts you about suspicious behavior in your environment so that you can stop an incident early enough to prevent damage. Each finding we send is accompanied with a security playbook, giving you clear recommendations on how to remediate an attack. Our support team of security analysts is always available to answer questions on how to interpret a finding, or for other security help. 

    Blumira’s free trial is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.

    Sign up for a free trial to start detecting and mitigating exposure related to VPN vulnerabilities.

    Tag(s): Security Alerts , Blog

    Matthew Warner

    Matthew Warner is Chief Technology Officer (CTO) and co-founder of Blumira. Matt brings nearly two decades of IT and cybersecurity experience to his leadership position, and a genuine passion for cybersecurity education. Prior to founding Blumira, he was Director of Security Services at NetWorks Group, a managed...

    More from the blog

    View All Posts