SonicWall SMA 100: CVE-2021-20045: Multiple SMA 100 Unauthenticated File Explorer Heap-based and Stack-based Buffer Overflows

A critical severity vulnerability (CVSS 9.4) in SMA 100 appliances, which includes SMA 200, 210, 400, 410 and 500v could allow a remote unauthenticated attacker to cause Heap-based and Stack-based Buffer Overflow and would result in code execution as the nobody user in the SMA100 appliance. It was observed that the SMA100 appliances with WAF licensed/enabled are also impacted by this vulnerability. Exploitation potentially leading to code execution. This Vulnerability is due to the sonicfiles RAC_COPY_TO (RacNumber 36) method which allows users to upload files to an SMB share and can be called without any authentication. RacNumber 36 of the sonicfiles API maps to the upload_file Python method and this is associated with filexplorer binary, which is a custom program written in C++ which is vulnerable to a number of memory safety issues.