If exploited, an unauthenticated, remote attacker can execute code as a “nobody user” in the device meaning attacker would get root access and gain full control of the device.
SonicWall, a renowned network security vendor is urging users to immediately update their SMA 100 [PDF] series devices with the latest version after detecting multiple security flaws.
Reportedly, exploiting these flaws, an unauthenticated, remote attacker can easily take complete control of the device as they would achieve root-level RCE. Successful exploitation can allow an attacker to execute arbitrary code, modify/delete files in certain directories, upload specially designed payloads, reboot the system remotely, exhaust the device’s CPU, bypass firewall rules.
Read: SonicWall hacked after 0-day flaws exploited by hackers
The San Jose-based SonicWall revealed that the flaws were discovered and reported by Rapid7’s Jake Baines and NCC Group’s Richard Warren.
What is SMA 100 Series
SonicWall’s Secure Mobile Access (SMA) 100-series VPN appliances provide end-to-end secure remote access to corporate networks and could be hosted on cloud, on-premise, and hybrid data centers. After establishing device/user identity and trust, the devices offer policy-enforced access control to apps after establishing device/user identity and trust.
About the Bugs
According to the company, several critical security bugs were identified, the most severe of which is an unauthenticated stack-backed buffer overflow issue. This bug carried a CVSS vulnerability-severity score of 9.8 out of 10 and was tracked as CVE-2021-20038.
If exploited, an unauthenticated, remote attacker can execute code as a “nobody user” in the device. This means the attacker would get root access and gain full control of the device. They can enable/disable security policies/access privileges for apps and user accounts. The issue arises from the strcat() function in the Apache HTTPd server, as SonicWall explained in its advisory.
“The vulnerability is due to the SonicWall SMA SSLVPN Apache HTTPd server GET method of mod_cgi module environment variables use a single stack-based buffer using `strcat,’” the company’s security advisory read.
Another notable flaw is tracked as CVE-2021-20045 that sports a combined critical CVSS score of 9.4. The vulnerability results from the “sonicfiles RAC_COPY_TO (RacNumber 36) method” that lets users upload files to an SMB share and doesn’t need authentication to be called. These file explorer heap- and stack-based buffer overflow flaws also allow RCE as root.
“RacNumber 36 of the sonicfiles API maps to the upload_file Python method, and this is associated with filexplorer binary, which is a custom program written in C++ which is vulnerable to a number of memory safety issues,” SonicWall’s security advisory explained.
SEE: FBI issues flash alert after APT groups exploited VPN flaws
The CVE-2021-20043 has a critical CVSS score of 8.8. It is also a heap-based buffer overflow bug that lets an attacker root-level code execution. However, it needs authentication to exploit. The flaw is identified in the getBookmarks function because of the unchecked use of strcat, which lets users list bookmarks.
Which Versions are Affected?
Most of the bugs impact SonicWall SMA 100 series appliances with WAF enabled. Moreover, the bugs also affect SMA 200, 210, 400, 410, and 500 series products that run version 9.0.0.11-31sv or earlier, 10.2.0.8-37sv, 10.2.1.2-24sv, 10.2.1.1-19sv.
List of Flaws
In total, eight security vulnerabilities were identified in SonicWall’s SMA series appliances. which are as follows:
- CVE-2021-20038 (CVSS score: 9.8) Unauthenticated stack-based buffer overflow
- CVE-2021-20039 (CVSS score: 7.2) – Authenticated command injection
- CVE-2021-20040 (CVSS score: 6.5) – Unauthenticated file upload path traversal
- CVE-2021-20041 (CVSS score: 7.5) – Unauthenticated CPU exhaustion
- CVE-2021-20042 (CVSS score: 6.3) – Unauthenticated “Confused Deputy”
- CVE-2021-20043 (CVSS score: 8.8) – GetBookmarks heap-based buffer overflow
- CVE-2021-20044 (CVSS score: 7.2) – Post-authentication remote code execution (RCE)
- CVE-2021-20045 (CVSS score: 9.4) – Unauthenticated file explorer heap-based and stack-based buffer overflow
