CVE-2021-20038: Remote Code Execution Vulnerability in SonicWall SMA Appliances

Share :

On Tuesday, December 7, 2021, SonicWall published a Security Advisory detailing multiple vulnerabilities in their SMA 100 series VPN appliances.  

As of January 24, 2022, security researchers have identified threat actors are actively attempting to exploit CVE-2021-20038 in SMA 100 series appliances, including SMA 200, 210, 400, 410 and 500v even when the web application firewall is enabled. Successful exploitation of this vulnerability can let remote unauthenticated attackers execute code as the ‘nobody’ user on compromised SonicWall appliances. 

Although threat actors are now actively targeting this vulnerability in the wild, security researchers and SonicWall themselves have stated they have not observed any successful exploit attempts. 

Recommendation for CVE-2021-20038

This section provides details on the recommendation/s that Arctic Wolf suggests identifying and remediating vulnerable SonicWall VPN appliances. 

Recommendation #1: Identify Vulnerable SonicWall VPN Appliances 

Affected Appliances  CVE  Description  Affected Firmware Versions  Fixed Firmware Version(s) 
  • SMA 200 
  • SMA 210 
  • SMA 400 
  • SMA 410 
  • SMA 500v 
  • Any SMA 100 Series appliance with WAF enabled 
  • Unauthenticated Remote Code Execution Vulnerability 
  • CVE-2021-20038
    (Critical – CVSS 9.8) 
A buffer overflow exists in the Apache httpd server’s mod_cgi module allowing a remote unauthenticated attacker to execute code as a ‘nobody’ user 
  • 10.2.1.0-17sv
    (and earlier) 
  • 10.2.1.1-19sv
    (and earlier) 
  • 10.2.1.2-24sv
    (and earlier) 
  • 10.2.1.3-27sv 

References 

James Liolios

James Liolios

James Liolios is a Senior Threat Intelligence Researcher at Arctic Wolf, where he keeps a watchful eye on the latest threats and threat actors to understand the potential impact to Arctic Wolf customers. He has a background of 9 years' experience in many areas of cybersecurity, holds a bachelor's degree in Information Security, and is also CISSP certified.
Share :
Table of Contents
Categories
Subscribe to our Monthly Newsletter