SonicWall SMA 100 Series Users Urged to Apply Latest FixCritical Flaws Remain Even After the Web Application Firewall Is Enabled
SonicWall is urging users of its Secure Mobile Access 100 series and remote access products - which include SMA 200, 210, 400, 410, and 500v products running unpatched firmware 22.214.171.124-31sv and earlier, 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier - to immediately apply patches. A majority of the devices are affected by eight critical-to-medium-severity vulnerabilities even after enabling their web application firewall, a SonicWall security advisory says.
The U.S. Cybersecurity and Infrastructure Security Agency has also released an advisory encouraging users and administrators using the SonicWall SMA 100 series appliances to apply the necessary firmware updates at the earliest opportunity. It says: "Although there are currently no reports of these vulnerabilities being exploited in the wild, in July 2021, CISA warned of threat actors actively targeting a known, previously patched, vulnerability in SonicWall SMA 100 series appliances," so patching this as soon as possible is necessary (see: SonicWall Urges Patching of Devices to Ward Off Ransomware).
Several other governmental and law enforcement organizations, such as the National Nodal Agency for Protection of Critical Information Infrastructure in India (NCIIPC India), North East Regional Cyber Crime Unit (NERCCU) - a part of U.K. Police - and the Canadian Center for Cyber Security, have also issued advisories about the urgency of patching these vulnerabilities as soon as possible.
A total of eight vulnerabilities were identified in the SMA 100 series appliances. They are:
- CVE-2021-20038: CVSS score - 9.8 - Unauthenticated stack-based buffer overflow vulnerability;
- CVE-2021-20039: CVSS score - 7.2 - Authenticated command injection vulnerability as root;
- CVE-2021-20040: CVSS score - 6.5 - Unauthenticated file upload path traversal vulnerability;
- CVE-2021-20041: CVSS score - 7.5 - Unauthenticated CPU exhaustion vulnerability;
- CVE-2021-20042: CVSS score - 6.3 - Unauthenticated "Confused Deputy" vulnerability;
- CVE-2021-20043: CVSS score - 8.8 - "getBookmarks" heap-based buffer overflow vulnerability;
- CVE-2021-20044: CVSS score - 7.2 - Post-authentication remote code execution, or RCE, vulnerability;
- CVE-2021-20045: CVSS score - 9.4 - Multiple unauthenticated file explorer heap-based and stack-based buffer overflow vulnerabilities.
The most severe of these flaws are a set of unauthenticated heap- and stack-based buffer overflow vulnerabilities, says Claire Tills, a senior research engineer with Tenable's security response team.
In discussing the severity of CVE-2021-20038, she says, "[It] covers a single vulnerability and received a CVSSv3 score of 9.8, while CVE-2021-20045 covers multiple vulnerabilities [but] the bundle received a CVSSv3 score of 9.4." This is because CVE-2021-20038 is the result of using the strcat() function when handling environment variables from the HTTP GET method used in the SMA SSLVPN Apache httpd server, she says.
The next-highest-rated vulnerability, CVE-2021-20043, is also a heap-based vulnerability and received a CVSSv3 score of 8.8. Tills says it is not as critically rated since it requires authentication to exploit. For all three CVEs, however, "successful exploitation would result in code execution as the 'nobody' user in the SMA100 appliance," she says.
One more vulnerability - CVE-2021-20041, with a CVSSv3 score of 7.5 - is dangerous, according to the SonicWall security advisory. It can allow an unauthenticated and remote adversary to consume all of the device's CPU, potentially causing a denial-of-service condition, SonicWall explains.
The company has credited the findings of these eight vulnerabilities to security researchers Jake Baines of Rapid7 and Richard Warren of the NCC Group.
Another good reason why this vulnerability patch is important and needs to be applied immediately is that in a separate post from Rapid7, the company says that it will release the technical details and proof-of-concept code in January 2022 as part of its coordinated vulnerability disclosure process with SonicWall.
Information Security Media Group asked SonicWall exactly how many appliances are affected by these vulnerabilities and whether any of these devices have been exploited since its public announcement on Tuesday. SonicWall provided the following response:
"SonicWall routinely collaborates with third-party researchers, penetration testers and forensic analysis firms to ensure that its products meet or exceed security best practices. One of these valued allies, Rapid7, recently identified a range of vulnerabilities to the SMA 100 series VPN product line, which SonicWall quickly verified. SonicWall designed, tested and published patches to correct the issues and communicated these mitigations to customers and partners. At the time of publishing, there are no known exploitations of these vulnerabilities in the wild."
Opening Door for Disruption
These vulnerabilities can open a lot of avenues for cybercriminals, Adam Flatley tells ISMG.
Flatley is director of threat intelligence at Redacted threat and network intelligence company and a member of the U.S. Ransomware Task Force. He says, "Firewall and other network device vulnerabilities are favorites of threat actors, from cybercriminals like ransomware groups to nation-state APTs. Once an actor has access to a device like this, it is almost always easy to pivot deeper into the network at will from that point, deploy malware, move laterally, and conduct data theft or disruptive operations."
According to Flatley, actors rush to exploit companies before they patch and continue to go after companies that don't patch and that's why it's absolutely critical to monitor for patch releases for every device or software/firmware in your network and update them as soon as possible when new releases come out.
Roger Grimes, data-driven defense evangelist at KnowBe4, says, "As a penetration tester, I broke into every place I was hired to break into ... in an hour or less. My secret? Attacking hardware devices and appliances. I never found one fully patched. ... And this is not a well-kept secret in the hacker world."
SonicWall has experienced a range of issues, particularly with its SMA 100 series appliances, in the past year - from ransomware gangs exploiting a zero-day vulnerability (see: Ransomware Gang Exploits SonicWall Zero-Day Flaw) to the company itself getting hacked and allegedly being held at ransom (see: SonicWall Was Hacked. Was It Also Extorted?).
Citing these incidents, CISA and other law enforcement authorities internationally have directed users to follow the guidance issued by SonicWall or use the company's knowledge base to get the exact steps to carry out the upgrade process to the latest firmware.
SonicWall has not listed any workarounds for these issues, so upgrading the firmware is the only feasible solution at the moment, according to its advisory.
Also, CVE-2021-20039, CVE-202120041 and CVE-2021-20042 all affect firmware version 126.96.36.199-31sv and earlier. SonicWall says that support for 9.0.0 firmware ended on Oct. 31, 2021, and it asks customers who are still using that firmware to upgrade to the latest 10.2.x versions.
But is patching the vulnerability the only road forward?
John Goodacre, director of U.K. Research and Innovation’s digital security by design and professor of computer architectures at the University of Manchester, tells ISMG that it is not. He says, "In addition to patching practices, the future of digital security should include devices that make the vulnerabilities blocked by design. The U.K. government has an initiative called Digital Security by Design working across industry and academia to achieve such a future."