On December 7, 2021, SonicWall released a security advisory that includes patching guidance for five vulnerabilities in SonicWall SMA 100 series devices that were discovered by Rapid7 (including CVE-2021-20038 which is rated CVSSv3 9.8, critical), as well as several other CVEs discovered by NCC Group. While exploitation has not yet started for these vulnerabilities, SonicWall “strongly urges” organizations to apply the appropriate patches.
From SonicWall’s advisory:
|Issue ID||Summary||CVE||CVSS||Reporting Party||Impacted Versions|
|SMA-3217||Unauthenticated Stack-Based Buffer Overflow||CVE-2021-20038||9.8||Rapid7||10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv|
|SMA-3204||Authenticated Command Injection||CVE-2021-20039||7.2||Rapid7||220.127.116.11-31sv, 10.2.0.8-37sv, 10.2.1.1-19sv|
|SMA-3206||Unauthenticated File Upload Path Traversal||CVE-2021-20040||6.5||Rapid7, NCCGroup||10.2.0.8-37sv, 10.2.1.1-19sv|
|SMA-3207||Unauthenticated CPU Exhaustion||CVE-2021-20041||7.5||Rapid7||18.104.22.168-31sv, 10.2.0.8-37sv, 10.2.1.1-19sv|
|SMA-3208||Unauthenticated Confused Deputy||CVE-2021-20042||6.3||Rapid7||22.214.171.124-31sv, 10.2.0.8-37sv, 10.2.1.1-19sv|
|SMA-3231||Heap-Based Buffer Overflow||CVE-2021-20043||8.8||NCCGroup||10.2.0.8-37sv, 10.2.1.1-19sv|
|SMA-3233||Post-Authentication Remote Command Execution||CVE-2021-20044||7.2||NCCGroup||10.2.0.8-37sv, 10.2.1.1-19sv|
|SMA-3235||Multiple Unauthenticated Heap-Based and Stack Based Buffer Overflow||CVE-2021-20045||9.4||NCCGroup||10.2.0.8-37sv, 10.2.1.1-19sv|
The issues listed above impact SMA 100 series appliances (SMA 200, 210, 400, 410, 500v).
Full disclosure scheduled for January 2022
Rapid7 will release the technical details and proof-of-concept code in January 2022 as part of our coordinated vulnerability disclosure process.
As with all critical, network-edge appliances, Rapid7 recommends that vulnerabilities be patched immediately. SonicWall devices have previously been exploited at scale in 2021 and are generally high-value targets for attackers. SonicWall does not list any workarounds for these issues. For more information, see SonicWall’s advisory.
InsightVM and Nexpose customers can assess their exposure to all eight of the CVEs in this advisory with vulnerability checks in the December 7, 2021 content release.