Multiple vulnerabilities in SonicWal SMA 100 products
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 8 |
| CVE-ID | CVE-2021-20038 CVE-2021-20039 CVE-2021-20040 CVE-2021-20041 CVE-2021-20042 CVE-2021-20043 CVE-2021-20044 CVE-2021-20045 |
| CWE-ID | CWE-121 CWE-77 CWE-434 CWE-835 CWE-441 CWE-122 CWE-284 |
| Exploitation vector | Network |
| Public exploit |
Vulnerability #1 is being exploited in the wild. Public exploit code for vulnerability #2 is available. |
| Vulnerable software |
SMA 100 Hardware solutions / Security hardware applicances |
| Vendor | SonicWall |
Security Bulletin
This security bulletin contains information about 8 vulnerabilities.
1) Stack-based buffer overflow
EUVDB-ID: #VU58619
Risk: Critical
CVSSv3.1: 9.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID: CVE-2021-20038
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing HTTP GET requests in the SonicWall SMA SSLVPN. A remote unauthenticated attacker can send a specially crafted HTTP request to the SSL VPN interface, trigger a stack-based buffer overflow in the mod_cgi module and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSMA 100: 10.2.1.0-17sv - 10.2.1.2-24sv
CPE2.3- cpe:2.3:h:sonicwall:sma_100:10.2.1.0-17sv:*:*:*:*:*:*:
- cpe:2.3:h:sonicwall:sma_100:10.2.1.1-19sv:*:*:*:*:*:*:
- cpe:2.3:h:sonicwall:sma_100:10.2.1.2-24sv:*:*:*:*:*:*:
http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
2) Command Injection
EUVDB-ID: #VU58620
Risk: High
CVSSv3.1: 9.2 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C]
CVE-ID: CVE-2021-20039
CWE-ID:
CWE-77 - Command injection
Exploit availability: Yes
DescriptionThe vulnerability allows a remote user to compromise the affected system.
The vulnerability exists due to the SonicWall
SMA SSLVPN `/cgi-bin/viewcert` endpoint allows users to upload, view, or delete SSL certificates. A remote authenticated user can send a specially crafted HTTP POST request to the affected SSL VPN interface and execute arbitrary commands on the system with root privileges.
Install updates from vendor's website.
Vulnerable software versionsSMA 100: 9.0.0.11-31sv - 10.2.1.1-19sv
CPE2.3- cpe:2.3:h:sonicwall:sma_100:9.0.0.11-31sv:*:*:*:*:*:*:
- cpe:2.3:h:sonicwall:sma_100:10.2.0.8-37sv:*:*:*:*:*:*:
- cpe:2.3:h:sonicwall:sma_100:10.2.1.1-19sv:*:*:*:*:*:*:
http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.
3) Arbitrary file upload
EUVDB-ID: #VU58621
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-20040
CWE-ID:
CWE-434 - Unrestricted Upload of File with Dangerous Type
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to the appliance allows unauthenticated file upload. A remote non-authenticated attacker can send a specially crafted HTTP request to the appliance and upload arbitrary file to any directory on the system.
Install updates from vendor's website.
Vulnerable software versionsSMA 100: 10.2.0.8-37sv - 10.2.1.1-19sv
CPE2.3- cpe:2.3:h:sonicwall:sma_100:10.2.0.8-37sv:*:*:*:*:*:*:
- cpe:2.3:h:sonicwall:sma_100:10.2.1.1-19sv:*:*:*:*:*:*:
http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Infinite loop
EUVDB-ID: #VU58622
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-20041
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in the "/fileshare/sonicfiles/sonicfiles" endpoint in the `fileexplorer` process. A remote non-authenticated attacker can send specially crafted HTTP request to the system and consume all available CPU resources.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSMA 100: 9.0.0.11-31sv - 10.2.1.1-19sv
CPE2.3- cpe:2.3:h:sonicwall:sma_100:9.0.0.11-31sv:*:*:*:*:*:*:
- cpe:2.3:h:sonicwall:sma_100:10.2.0.8-37sv:*:*:*:*:*:*:
- cpe:2.3:h:sonicwall:sma_100:10.2.1.1-19sv:*:*:*:*:*:*:
http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Unintended Proxy or Intermediary
EUVDB-ID: #VU58623
Risk: High
CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-20042
CWE-ID:
CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to missing security checks that allow a remote non-authenticated attacker to bypass firewall rules and use undetected the appliance as intermediary proxy to access internal and external resources.
Install updates from vendor's website.
Vulnerable software versionsSMA 100: 9.0.0.11-31sv - 10.2.1.1-19sv
CPE2.3- cpe:2.3:h:sonicwall:sma_100:9.0.0.11-31sv:*:*:*:*:*:*:
- cpe:2.3:h:sonicwall:sma_100:10.2.0.8-37sv:*:*:*:*:*:*:
- cpe:2.3:h:sonicwall:sma_100:10.2.1.1-19sv:*:*:*:*:*:*:
http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Heap-based buffer overflow
EUVDB-ID: #VU58624
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-20043
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the RAC_GET_BOOKMARKS_HTML5 (RacNumber 35) method that allows users to list their bookmarks. A remote user can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSMA 100: 10.2.0.8-37sv - 10.2.1.1-19sv
CPE2.3- cpe:2.3:h:sonicwall:sma_100:10.2.0.8-37sv:*:*:*:*:*:*:
- cpe:2.3:h:sonicwall:sma_100:10.2.1.1-19sv:*:*:*:*:*:*:
http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper access control
EUVDB-ID: #VU58625
Risk: Medium
CVSSv3.1: 4.4 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-20044
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the system.
The vulnerability exists due to improper access restrictions in the Management API. A remote user can bypass implemented security restrictions and execute system commands as ‘nobody’ user.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSMA 100: 10.2.0.8-37sv - 10.2.1.1-19sv
CPE2.3- cpe:2.3:h:sonicwall:sma_100:10.2.0.8-37sv:*:*:*:*:*:*:
- cpe:2.3:h:sonicwall:sma_100:10.2.1.1-19sv:*:*:*:*:*:*:
http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Heap-based buffer overflow
EUVDB-ID: #VU58626
Risk: Critical
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-20045
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in the RAC_COPY_TO (RacNumber 36) method which allows users to upload files to an SMB share and can be called without any authentication. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSMA 100: 10.2.0.8-37sv - 10.2.1.1-19sv
CPE2.3- cpe:2.3:h:sonicwall:sma_100:10.2.0.8-37sv:*:*:*:*:*:*:
- cpe:2.3:h:sonicwall:sma_100:10.2.1.1-19sv:*:*:*:*:*:*:
http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
