On Tuesday, December 7, 2021, SonicWall published a Security Advisory detailing multiple vulnerabilities in their SMA 100 series VPN appliances.
As of January 24, 2022, security researchers have identified threat actors are actively attempting to exploit CVE-2021-20038 in SMA 100 series appliances, including SMA 200, 210, 400, 410 and 500v even when the web application firewall is enabled. Successful exploitation of this vulnerability can let remote unauthenticated attackers execute code as the ‘nobody’ user on compromised SonicWall appliances.
Although threat actors are now actively targeting this vulnerability in the wild, security researchers and SonicWall themselves have stated they have not observed any successful exploit attempts.
Recommendation for CVE-2021-20038
This section provides details on the recommendation/s that Arctic Wolf suggests identifying and remediating vulnerable SonicWall VPN appliances.
Recommendation #1: Identify Vulnerable SonicWall VPN Appliances
| Affected Appliances | CVE | Description | Affected Firmware Versions | Fixed Firmware Version(s) |
|
|
A buffer overflow exists in the Apache httpd server’s mod_cgi module allowing a remote unauthenticated attacker to execute code as a ‘nobody’ user |
|
|
