Multiple bugs were discovered in SonicWall’s Secure Mobile Access (SMA) 100 Series VPN appliances. These bugs range from medium to critical, with more severe flaws enabling an unauthenticated user to execute code as a “nobody” user.
These vulnerabilities affect SonicWall SMA 200, 210, 400, 410, and 500v appliances even with the web application firewall (WAF) enabled. The SMA 100 Series is intended to provide secure access to data center, cloud, and SaaS resources from a single portal.
A summary of the discovered bugs are below:
|CVE||Description||CVSS Score||Who Reported It?|
|CVE-2021-20038||Unauthenticated Stack-based Buffer Overflow||9.8 High||Rapid7
|CVE-2021-20039||Authenticated Command Injection Vulnerability as Root||7.2 High||Rapid7
|CVE-2021-20040||Unauthenticated File Upload Path Traversal Vulnerability||6.5 Medium||Rapid7, NCCGroup
|CVE-2021-20041||Unauthenticated CPU Exhaustion Vulnerability||7.5 High||Rapid7
|CVE-2021-20042||Unauthenticated “Confused Deputy” Vulnerability||6.3 Medium||Rapid7
|CVE-2021-20043||getBookmarks Heap-based Buffer Overflow||8.8 High||NCCGroup
|CVE-2021-20044||Post-Authentication Remote Code Execution (RCE)||7.2 High||NCCGroup
|CVE-2021-20045||Multiple Unauthenticated File Explorer Heap-based and Stack-based Buffer Overflows||9.4 High||NCCGroup
How Bad is This?
There are multiple bugs in the SonicWall SMA 100 series appliances, and they all range in severity. Less severe bugs enable threat actors to upload files to a directory in the appliance after exploiting the bug. While there are no public exploits available yet for these bugs, it is only a matter of time until there is.
In April 2021, there were reports of a ransomware variant FiveHands using a vulnerability in the SMA product to deploy attacks.
However the more noteworthy bugs, which include CVE-2021-20038, CVE-2021-20039 and CVE-2021-20045, have serious consequences.
The most severe is CVE-2021-20038, which was rated a CVSS score of 9.8 and enables a threat actor to enter as root and perform actions such as enabling and disabling security policies and access privileges. CVE-2021-20045 is similar to CVE-2021-20038 in that it is a group of heap- and stack-based buffer overflow bugs that allow remote code execution (RCE) as root.
CVE-2021-20039 is perhaps the most dangerous if left unpatched because it enables an authenticated threat actor to take over remote devices by injecting arbitrary commands as a root user.
What Should I Do?
We recommend that you immediately update your SMA 100 appliances with the most recent patch. There have been reports of this patch causing issues with registration after application of the patch. We recommend backing up and saving configuration previous to patching.
If you cannot patch, you should disable access from the internet to your SMA 100 until you can.
How Blumira Can Help
Blumira detects and alerts you about suspicious behavior in your environment so that you can stop an incident early enough to prevent damage. Each finding we send is accompanied with a security playbook, giving you clear recommendations on how to remediate an attack. Our support team of security analysts is always available to answer questions on how to interpret a finding, or for other security help.
Blumira’s free trial is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.
Sign up for a free trial to start detecting and mitigating exposure related to VPN vulnerabilities.