Summary

On December 7, 2021, SonicWall released a security advisory that includes patching guidance for five vulnerabilities in SonicWall SMA 100 series devices that were discovered by Rapid7 (including CVE-2021-20038 which is rated CVSSv3 9.8, critical), as well as several other CVEs discovered by NCC Group. While exploitation has not yet started for these vulnerabilities, SonicWall “strongly urges” organizations to apply the appropriate patches.

From SonicWall’s advisory:

Issue ID Summary CVE CVSS Reporting Party Impacted Versions
SMA-3217 Unauthenticated Stack-Based Buffer Overflow CVE-2021-20038 9.8 Rapid7 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv
SMA-3204 Authenticated Command Injection CVE-2021-20039 7.2 Rapid7 9.0.0.11-31sv, 10.2.0.8-37sv, 10.2.1.1-19sv
SMA-3206 Unauthenticated File Upload Path Traversal CVE-2021-20040 6.5 Rapid7, NCCGroup 10.2.0.8-37sv, 10.2.1.1-19sv
SMA-3207 Unauthenticated CPU Exhaustion CVE-2021-20041 7.5 Rapid7 9.0.0.11-31sv, 10.2.0.8-37sv, 10.2.1.1-19sv
SMA-3208 Unauthenticated Confused Deputy CVE-2021-20042 6.3 Rapid7 9.0.0.11-31sv, 10.2.0.8-37sv, 10.2.1.1-19sv
SMA-3231 Heap-Based Buffer Overflow CVE-2021-20043 8.8 NCCGroup 10.2.0.8-37sv, 10.2.1.1-19sv
SMA-3233 Post-Authentication Remote Command Execution CVE-2021-20044 7.2 NCCGroup 10.2.0.8-37sv, 10.2.1.1-19sv
SMA-3235 Multiple Unauthenticated Heap-Based and Stack Based Buffer Overflow CVE-2021-20045 9.4 NCCGroup 10.2.0.8-37sv, 10.2.1.1-19sv

Affected versions

The issues listed above impact SMA 100 series appliances (SMA 200, 210, 400, 410, 500v).

Full disclosure scheduled for January 2022

Rapid7 will release the technical details and proof-of-concept code in January 2022 as part of our coordinated vulnerability disclosure process.

Guidance

As with all critical, network-edge appliances, Rapid7 recommends that vulnerabilities be patched immediately. SonicWall devices have previously been exploited at scale in 2021 and are generally high-value targets for attackers. SonicWall does not list any workarounds for these issues. For more information, see SonicWall’s advisory.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to all eight of the CVEs in this advisory with vulnerability checks in the December 7, 2021 content release.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.