December 9, 2021

Critical Bugs Discovered In SonicWall SMA 100 Series Appliances

What Happened?

Multiple bugs were discovered in SonicWall’s Secure Mobile Access (SMA) 100 Series VPN appliances. These bugs range from medium to critical, with more severe flaws enabling an unauthenticated user to execute code as a “nobody” user.

These vulnerabilities affect SonicWall SMA 200, 210, 400, 410, and 500v appliances even with the web application firewall (WAF) enabled. The SMA 100 Series is intended to provide secure access to data center, cloud, and SaaS resources from a single portal.

A summary of the discovered bugs are below:

CVE	Description	CVSS Score	Who Reported It?
CVE-2021-20038	Unauthenticated Stack-based Buffer Overflow	9.8 High	Rapid7
CVE-2021-20039	Authenticated Command Injection Vulnerability as Root	7.2 High	Rapid7
CVE-2021-20040	Unauthenticated File Upload Path Traversal Vulnerability	6.5 Medium	Rapid7, NCCGroup
CVE-2021-20041	Unauthenticated CPU Exhaustion Vulnerability	7.5 High	Rapid7
CVE-2021-20042	Unauthenticated “Confused Deputy” Vulnerability	6.3 Medium	Rapid7
CVE-2021-20043	getBookmarks Heap-based Buffer Overflow	8.8 High	NCCGroup
CVE-2021-20044	Post-Authentication Remote Code Execution (RCE)	7.2 High	NCCGroup
CVE-2021-20045	Multiple Unauthenticated File Explorer Heap-based and Stack-based Buffer Overflows	9.4 High	NCCGroup

How Bad is This?

There are multiple bugs in the SonicWall SMA 100 series appliances, and they all range in severity. Less severe bugs enable threat actors to upload files to a directory in the appliance after exploiting the bug. While there are no public exploits available yet for these bugs, it is only a matter of time until there is.

In April 2021, there were reports of a ransomware variant FiveHands using a vulnerability in the SMA product to deploy attacks.

However the more noteworthy bugs, which include CVE-2021-20038, CVE-2021-20039 and CVE-2021-20045, have serious consequences.

The most severe is CVE-2021-20038, which was rated a CVSS score of 9.8 and enables a threat actor to enter as root and perform actions such as enabling and disabling security policies and access privileges. CVE-2021-20045 is similar to CVE-2021-20038 in that it is a group of heap- and stack-based buffer overflow bugs that allow remote code execution (RCE) as root.

CVE-2021-20039 is perhaps the most dangerous if left unpatched because it enables an authenticated threat actor to take over remote devices by injecting arbitrary commands as a root user.

What Should I Do?

We recommend that you immediately update your SMA 100 appliances with the most recent patch. There have been reports of this patch causing issues with registration after application of the patch. We recommend backing up and saving configuration previous to patching.

If you cannot patch, you should disable access from the internet to your SMA 100 until you can.

How Blumira Can Help

Blumira detects and alerts you about suspicious behavior in your environment so that you can stop an incident early enough to prevent damage. Each finding we send is accompanied with a security playbook, giving you clear recommendations on how to remediate an attack. Our support team of security analysts is always available to answer questions on how to interpret a finding, or for other security help.

Blumira’s free trial is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.

Tag(s): Security Alerts , Blog

Matthew Warner

Matthew Warner is Chief Technology Officer (CTO) and co-founder of Blumira. Matt brings nearly two decades of IT and cybersecurity experience to his leadership position, and a genuine passion for cybersecurity education. Prior to founding Blumira, he was Director of Security Services at NetWorks Group, a managed...