New exploits of a critical vulnerability (CVE-2021-20038) affecting SonicWall’s Secure Mobile Access (SMA) gateway was discovered yesterday. The vulnerability is an unauthenticated stack-based buffer overflow which impacts SMA 100 series appliances (including SMA 200, 210, 400, 410, and 500v). The vulnerability was addressed by SonicWall in December 2021, but attackers are still targeting the gateway.
Exploitation of CVE-2021-20038 allows remote unauthenticated attackers to execute code as the ‘nobody’ user in compromised SonicWall appliances. The vulnerability has a Common Vulnerability Scoring System score (CVSS) of 9.8 and allows attackers to overwrite several security-critical data on an execution stack that can lead to arbitrary code execution. CVE-2021-20038 could allow attackers to get complete control of a device or virtual machine. After gaining control, they would have the capability of installing malware to intercept authentication material from authorized users.
The issue found in the device stems from its web server - a slightly modified version of the Apache httpd server. Additionally, attackers are also trying to brute force their way in by password spraying known SonicWall appliance default passwords. There aren’t any temporary mitigations for the vulnerability, so SonicWall urges customers to apply patches as soon as possible. This vulnerability affects versions 10.2.1.1-19sv, 10.2.0.8-37sv, and 10.2.1.2-24sv. SonicWall stated that they are actively monitoring activity against CVE-2021-20038 and urges all organizations regardless of security products to be consistent and thorough with their patching policy and execution.
At this time, there are no known IoCs. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, reach out to your Avertium Service Delivery Manager or Account Executive.