Technical details and exploitation notes have been published for a remote-code-execution vulnerability in Sonicwall SMA 100 series VPN appliances.
The information was released today by infosec outfit Rapid7. This comes about a month after Sonicwall issued a patch for the security hole, which was discovered and privately disclosed by Rapid7's Jake Baines to Sonicwall in October.
If you haven't yet applied the update, now would be a good time before it's widely exploited. So far there is no evidence the programming flaw, which is present in SMA 200, 210, 400, 410 and 500v products as well as the 100, has been abused in the wild, Sonicwall said.
Rated at 9.8 on the CVSS v3.1 scale, the bug is a stack-based buffer overflow tracked as CVE-2021-20038. It can be exploited by miscreants via the network, without any authorization, to execute code as the low-privilege "nobody" user, according to Sonicwall's PSIRT note.
Baines on Tuesday in a blog post described the vulnerability in detail.
He said Sonicwall's "slightly modified" version of the Apache httpd web server software runs on the affected appliance; this software is configured to restart automatically if it crashes, giving an attacker multiple attempts at pulling off exploitation. After triggering the overflow with an "overly long" HTTP query string to the device, and defeating the address space layout randomization (ASLR) – which isn't tough given it's a 32-bit system with low ASLR entropy – an intruder then just has to "su to root using the password 'password'," Baines said.
Thus it's possible to go from sending a long query string to a VPN appliance over the network to running code as nobody, to gaining superuser privileges with the password 'password' and taking over the device completely. This vuln affects Sonicwall SMA 100-series devices; check with Sonicwall on which firmware versions to upgrade to.
In additional, Baines found and privately disclosed four other Sonicwall SMA 100-series bugs, and again described them in detail today. Those flaws were patched in December – see the above PSIRT link – are not said to be actively exploited, and are:
- CVE-2021-20039, rated 7.2; OS command injection
- CVE-2021-20040, rated 6.5; path traversal
- CVE-2021-20041, rated 7.5; infinite loop
- CVE-2021-20042, rated 6.5; "unintended proxy or intermediary"
Meanwhile, UK's NCC Group found two buffer overflows, CVE-2021-20045 and CVE-2021-20043, in Sonicwall products that can be exploited by an unauthenticated user to achieve remote execution. These bugs are CVSS rated at 9.4 and 8.8 respectively. NCC also spotted CVE-2021-20044, which would allow remote code execution though only by an authenticated user.
Again, these bugs were patched in December (see above PSIRT link) and affect the SMA 100 series, which includes SMA 200, 210, 400, 410 and 500v equipment. Consult SonicWall for the correct firmware version to update to.
"SonicWall strongly urges that organizations ... patch SMA 100 series products," the manufacturer warned in its advisory.
While Sonicwall insisted there is "no evidence" of exploitation attempts targeting these devices, now that patches and exploit info is out there, it may just be a matter of time before someone starts breaking into these appliances using all of this knowledge.
VPN boxes have been popular targets in the past for state-backed attackers, for instance.
- American intelligence follows British lead in warning of serious VPN vulnerabilities
- SonicWall suggests people unplug their end-of-life gateways under 'active attack' by ransomware crims
- If you want to practice writing exploits and worms, there's a big hijacking hole in SonicWall firewall VPNs
- Patch now? Why enterprise exploits are still partying like it's 1999
Last July, Sonicwall issued an emergency alert telling users of the SMA 200 and 400 to update their firmware immediately, following warnings from Mandiant of live exploit attempts.
NCC Group said the vuln CVE-2021-20045 it found affecting SMA 100 series appliances stemmed from "unchecked use of strcpy with a fixed size buffer." ®