Threat Update
SonicWall, a widely-used network security company, has released patches to address several critical vulnerabilities within their SMA 100 Series VPN appliances. These vulnerabilities could allow attackers to execute arbitrary code, modify/delete files, bypass firewall rules, and even gain remote access to devices. Although these vulnerabilities have not yet been exploited in the wild, SonicWall is urging customers to upgrade these appliances immediately and apply the necessary security patches.
Technical Detail & Additional Information
WHAT IS THE THREAT?
There are 8 total CVE’s which Sonicwall says effects SMA 200, 210, 400, 410, and 500v products running versions 9.0.0.11-31sv and earlier, 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier. Sonicwall believes the most recent updates will patch these vulnerabilities:
- CVE-2021-20038 (CVSS score: 9.8) – Unauthenticated stack-based buffer overflow vulnerability
- CVE-2021-20039 (CVSS score: 7.2) – Authenticated command injection vulnerability as root
- CVE-2021-20040 (CVSS score: 6.5) – Unauthenticated file upload path traversal vulnerability
- CVE-2021-20041 (CVSS score: 7.5) – Unauthenticated CPU exhaustion vulnerability
- CVE-2021-20042 (CVSS score: 6.3) – Unauthenticated “Confused Deputy” vulnerability
- CVE-2021-20043 (CVSS score: 8.8) – “getBookmarks” heap-based buffer overflow vulnerability
- CVE-2021-20044 (CVSS score: 7.2) – Post-authentication remote code execution (RCE) vulnerability
- CVE-2021-20045 (CVSS score: 9.4) – Series unauthenticated file explorer heap-based and stack-based buffer overflow vulnerabilities
WHY IS IT NOTEWORTHY?
The vulnerabilities above post significant threats to any company using SonicWall technologies. Tens of thousands of companies use and trust SonicWall to protect them. Attackers with knowledge of these vulnerabilities could do serious damage, as they have several different companies to potentially target. SonicWall has done the work to pinpoint and patch these vulnerabilities. Any company that uses SonicWall SMA 100 Series VPN appliances should assure they are not using a vulnerable appliance and should update those appliances immediately if they are.
WHAT IS THE EXPOSURE OR RISK?
These vulnerabilities, if exploited, could allow attackers to do serious damage. These vulnerabilities could allow attackers to bypass firewall rules, which could allow attackers to bypass security measures that keep devices safe. They could allow attackers to access, modify, and/or delete files, which could allow access to sensitive personal and company information. They could also allow attackers to execute arbitrary code and upload malicious payloads. By exploiting these vulnerabilities, attackers could also consume all of a device’s CPU, which could lead to Denial of Service and the services becoming unavailable. The risk for customers using vulnerable versions of SonicWall SMA 100 series is very high, and they should look to update to patched versions as soon as possible.
WHAT ARE THE RECOMMENDATIONS?
Barracuda MSP recommends that any affected organizations update SonicWall appliances as soon as possible. These vulnerabilities have been patched and those who apply these patches should no longer be at risk.
Vulnerable Appliances:
- SMA 200
- SMA 210
- SMA 400
- SMA 410
- SMA 500v
Affected Software Versions:
- 9.0.0.11-31sv and earlier
- 10.2.0.8-37sv
- 10.2.1.1-19sv
- 10.2.1.2-24sv and earlier
REFERENCES
For more in-depth information about the recommendations, please visit the following links:
- https://threatpost.com/critical-sonicwall-vpn-bugs-appliance-takeover/176869/
- https://thehackernews.com/2021/12/sonicwall-urges-customers-to.html?m=1
If you have any questions, please contact our Security Operations Center.