Share on:

What Happened?

Multiple bugs were discovered in SonicWall’s Secure Mobile Access (SMA) 100 Series VPN appliances. These bugs range from medium to critical, with more severe flaws enabling an unauthenticated user to execute code as a “nobody” user.

These vulnerabilities affect SonicWall SMA 200, 210, 400, 410, and 500v appliances even with the web application firewall (WAF) enabled. The SMA 100 Series is intended to provide secure access to data center, cloud, and SaaS resources from a single portal.

A summary of the discovered bugs are below: 

CVEDescriptionCVSS ScoreWho Reported It?
CVE-2021-20038Unauthenticated Stack-based Buffer Overflow 9.8 High Rapid7
CVE-2021-20039Authenticated Command Injection Vulnerability as Root 7.2 High Rapid7
CVE-2021-20040Unauthenticated File Upload Path Traversal Vulnerability 6.5 MediumRapid7, NCCGroup
CVE-2021-20041Unauthenticated CPU Exhaustion Vulnerability 7.5 High Rapid7
CVE-2021-20042Unauthenticated “Confused Deputy” Vulnerability 6.3 MediumRapid7
CVE-2021-20043getBookmarks Heap-based Buffer Overflow 8.8 High NCCGroup
CVE-2021-20044Post-Authentication Remote Code Execution (RCE) 7.2 High NCCGroup
CVE-2021-20045Multiple Unauthenticated File Explorer Heap-based and Stack-based Buffer Overflows9.4 High NCCGroup

How Bad is This?

There are multiple bugs in the SonicWall SMA 100 series appliances, and they all range in severity. Less severe bugs enable threat actors to upload files to a directory in the appliance after exploiting the bug. While there are no public exploits available yet for these bugs, it is only a matter of time until there is.

In April 2021, there were reports of a ransomware variant FiveHands using a vulnerability in the SMA product to deploy attacks.

However the more noteworthy bugs, which include CVE-2021-20038, CVE-2021-20039 and CVE-2021-20045, have serious consequences. 

The most severe is CVE-2021-20038, which was rated a CVSS score of 9.8 and enables a threat actor to enter as root and perform actions such as enabling and disabling security policies and access privileges. CVE-2021-20045 is similar to CVE-2021-20038 in that it is a group of heap- and stack-based buffer overflow bugs that allow remote code execution (RCE) as root.

CVE-2021-20039 is perhaps the most dangerous if left unpatched because it enables an authenticated threat actor to take over remote devices by injecting arbitrary commands as a root user.

What Should I Do?

We recommend that you immediately update your SMA 100 appliances with the most recent patch. There have been reports of this patch causing issues with registration after application of the patch. We recommend backing up and saving configuration previous to patching.

If you cannot patch, you should disable access from the internet to your SMA 100 until you can.

How Blumira Can Help

Blumira detects and alerts you about suspicious behavior in your environment so that you can stop an incident early enough to prevent damage. Each finding we send is accompanied with a security playbook, giving you clear recommendations on how to remediate an attack. Our support team of security analysts is always available to answer questions on how to interpret a finding, or for other security help. 

Blumira’s free trial is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.

Sign up for a free trial to start detecting and mitigating exposure related to VPN vulnerabilities.

Security news and stories right to your inbox!