Patch critical vulnerabilities in SonicWall SMA 100

Sicherheit (Pexels, allgemeine Nutzung)[German]SonicWall's Secure Mobile Access (SMA) 100-Series solution provides secure end-to-end remote access to enterprise resources hosted in on-premise, cloud and hybrid data centers. Vendor SonicWall is now urging users of its SMA 100 devices (SECURE MOBILE ACCESS 100-SERIES) to patch. Security researchers have found two critical vulnerabilities in the firmware, for which the manufacturer is providing security updates.


In its December 9, 2021 Security Notice,  the vendor announced that it has reviewed and patched critical and moderate severity vulnerabilities (CVSS 5.3-9.8) in the SMA 100-Series appliances, which include the SMA 200, 210, 400, 410 and 500v products. SMA 100-series appliances with WAF enabled are also affected by most of these vulnerabilities. The following vulnerabilities are listed on this web page:

Issue ID Reporting Party CVE CVSS Summary
SMA-3217 Rapid7 CVE-2021-20038 9.8 Unauthenticated Stack-Based Buffer Overflow
SMA-3204 Rapid7 CVE-2021-20039 7.2 Authenticated Command Injection
SMA-3206 Rapid7 |NCCGroup CVE-2021-20040 6.5 Unauthenticated File Upload Path Traversal
SMA-3207 Rapid7 CVE-2021-20041 7.5 Unauthenticated CPU Exhaustion
SMA-3208 Rapid7 CVE-2021-20042 6.3 Unauthenticated Confused Deputy
SMA-3231 NCCGroup CVE-2021-20043 8.8 Heap-Based Buffer Overflow
SMA-3233 NCCGroup CVE-2021-20044 7.2 Post-Authentication Remote Command Execution
SMA-3235 NCCGroup CVE-2021-20045 9.4 Multiple Unauthenticated Heap-Based and Stack Based Buffer Overflow

Critical vulnerabilities CVE-2021-20038 (CVSS 9.8) and CVE-2021-20045 (CVSS 9.4) in the SMA 100 appliances could allow an unauthenticated attacker to cause a stack-based buffer overflow. The CVE-2021-20038 vulnerability is due to the Apache httpd server GET method of SonicWall SMA SSLVPN using a single stack-based buffer in the environment variables of the mod_cgi module using `strcat`. This allows remote attackers to perform a stack-based buffer overflow that would lead to code execution.

Both vulnerabilities allow code execution in the SMA100 appliance as a nobody user. SMA 100 users with WAF enabled are also affected by this vulnerability. There is no evidence yet that the vulnerabilities listed in the table above are being exploited in the wild. SonicWall strongly recommends that organizations follow the instructions to patch the SMA 100 series products. The linked page also lists the details of the remaining vulnerabilities from the table above. It should not be long before these vulnerabilities are exploited by cybercriminals.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Update and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *