SonicWall ‘strongly urges’ customers to patch critical SMA 100 bugs

SonicWall 'strongly urges' organizations using SMA 100 series appliances to immediately patch them against multiple security flaws rated with CVSS scores ranging from medium to critical.

The bugs (reported by Rapid7's Jake Baines and NCC Group's Richard Warren) impact SMA 200, 210, 400, 410, and 500v appliances even when the web application firewall (WAF) is enabled.

The highest severity flaws patched by SonicWall this week are CVE-2021-20038 and CVE-2021-20045, two critical Stack-based buffer overflow vulnerabilities that can let remote unauthenticated attackers execute as the 'nobody' user in compromised appliances.

Other bugs patched by the company on Tuesday enable authenticated threat actors to gain remote code execution, inject arbitrary commands, or upload crafted web pages and files to any directory in the appliance following successful exploitation.

However, the most dangerous one if left unpatched is CVE-2021-20039. This high severity security issue can let authenticated attackers inject arbitrary commands as the root user leading to a remote takeover of unpatched devices.

Luckily, SonicWall says that it hasn't yet found any evidence of any of these security vulnerabilities being exploited in the wild.

CVE Summary CVSS Score
CVE-2021-20038 Unauthenticated Stack-based Buffer Overflow 9.8 High
CVE-2021-20039 Authenticated Command Injection Vulnerability as Root 7.2 High
CVE-2021-20040 Unauthenticated File Upload Path Traversal Vulnerability 6.5 Medium
CVE-2021-20041 Unauthenticated CPU Exhaustion Vulnerability 7.5 High
CVE-2021-20042 Unauthenticated "Confused Deputy" Vulnerability 6.3 Medium
CVE-2021-20043 getBookmarks Heap-based Buffer Overflow 8.8 High
CVE-2021-20044 Post-Authentication Remote Code Execution (RCE) 7.2 High
CVE-2021-20045 Multiple Unauthenticated File Explorer Heap-based and Stack-based Buffer Overflows 9.4 High

"SonicWall urges impacted customers to implement applicable patches as soon as possible," the company says in a security advisory published Tuesday.

Customers using SMA 100 series appliances are advised to immediately log in to their MySonicWall.com accounts to upgrade the firmware to versions outlined in this SonicWall PSIRT Advisory.

Upgrade assistance on how to upgrade the firmware on SMA 100 appliances is available in this knowledgebase article or by contacting SonicWall's support.

To put the importance of patching these security flaws into perspective, SonicWall SMA 100 appliances have been targeted by ransomware gangs multiple times since the start of 2021.

For instance, Mandiant said in April that the CVE-2021-20016 SMA 100 zero-day was exploited to deploy a new ransomware strain known as FiveHands starting with January when it was also used to target SonicWall's internal systems. Before patches were released in late February 2021, the same bug was abused indiscriminately in the wild.

In July, SonicWall also warned of the increased risk of ransomware attacks targeting unpatched end-of-life SMA 100 series and Secure Remote Access products. However, CrowdStrike, Coveware security researchers, and CISA warned that SonicWall appliances were already targeted by HelloKitty ransomware.

SonicWall's products are used by over 500,000 business customers from 215 countries and territories worldwide, many deployed on the networks of the world's largest companies and government agencies.

Related Articles:

Apple fixes two new iOS zero-days exploited in attacks on iPhones

CISA cautions against using hacked Ivanti VPN gateways even after factory resets

Windows February 2024 updates fail to install with 0x800F0922 errors

FBI, CISA warn US hospitals of targeted BlackCat ransomware attacks

US government discloses more ransomware attacks on water plants