Threat Overview

Blackpoint Cyber’s 24/7 SOC is actively monitoring multiple vulnerabilities recently found in SonicWall’s Secure Mobile Access (SMA) network security appliances.

Affected products:

  • Impacted Platforms: SMA 200, 210, 400, 410, and 500v
  • Impacted Versions: 9.0.0.11-31sv and earlier, 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier.

What Does This Mean to Our Partners?

Currently being tracked as CVE-2021-20038 and CVE-2021-20039, these severe vulnerabilities could allow for a complete takeover of these appliances, affecting partners using SonicWall products. In their security advisory, SonicWall is urging users to patch immediately. 

Important: While there is no evidence that these vulnerabilities are being exploited, an active proof of concept (PoC) exists in the wild.

CVE-2021-20038 is a stack-based buffer overflow in the SMA’s Apache httpd server’s mod_cgi module environment variables allowing remote unauthenticated attackers to obtain code execution on the appliance as a ‘nobody’ user. This means that an attacker could take control of the SMA’s hardware and intercept or redirect network traffic. The vulnerability has been assigned a 9.8 critical base score.

CVE-2021-20039 is a command injection vulnerability where improper neutralization of special elements in SMA’s management interface ‘/cgi-bin/viewcert’ POST http method allows a remote authenticated attacker to inject arbitrary commands as a ‘nobody’ user. Once running as the nobody user, it can be trivial to escalate privileges to the root user. This vulnerability has been assigned an 8.8 high base score.

How to Protect Yourself and Your Clients

Originally discovered and reported by Rapid7 and NCC Group, SonicWall published their security advisory on December 7, 2021. On January 11, 2022, patches for all vulnerabilities in their SMA series were released.

Please ensure that you apply patches immediately. Blackpoint SOC will continue to actively monitor for any indicators of compromise associated with these vulnerabilities. We are confident that our experienced MDR analysts and technology will continue to protect your business and clients.

Get More Information

Don’t wait to strengthen your network security. Blackpoint Cyber’s experienced Managed Detection & Response (MDR) team responds 24/7/365 to critical threats by isolating infected devices and terminating malicious software, immediately helping to eradicate a malicious actor’s foothold in your network. Further, our patented SNAP-Defense Security Operations & Incident Response platform allows us to detect lateral movement in its earliest stages and then neutralize threats before they have a chance to spread.

Contact us today and rest easy knowing that our team keeps you and your clients safe from even the most advanced threats.

Want something new to listen to?

Check out our podcast, The Unfair Fight, where you can hear industry insights from Blackpoint Cyber leadership and our special guests firsthand.