top of page

Critical CVE-2021-20038: Protect Your SonicWall SMA 100 Series from Active Exploits

CVE Image for report on CVE-2021-20038

Executive Summary

CVE-2021-20038 is a critical stack-based buffer overflow vulnerability in the Apache httpd server's mod_cgi module, specifically affecting SonicWall SMA 100 series appliances. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary code as the 'nobody' user on the affected appliance. The vulnerability has been actively exploited in the wild, posing a significant risk to organizations using the affected appliances. Immediate action is required to apply patches and implement mitigation strategies to protect against potential exploitation.

Technical Information

CVE-2021-20038 is a critical vulnerability that exists due to improper handling of environment variables in the mod_cgi module of the Apache httpd server. The vulnerability affects the following SonicWall SMA 100 series appliances: SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v. The affected firmware versions include 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv, and earlier versions.

The vulnerability can be exploited by sending a specially crafted HTTP request, which triggers a stack-based buffer overflow. Successful exploitation allows the attacker to execute arbitrary code on the affected system with the privileges of the 'nobody' user. The CVSS v3.1 score for this vulnerability is 9.8 (Critical), with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The CVSS v2.0 score is 7.5 (High), with a vector of (AV:N/AC:L/Au:N/C:P/I:P/A:P).

The vulnerability has been actively exploited in the wild and is listed in CISA's Known Exploited Vulnerabilities Catalog, indicating that it poses a significant risk to organizations using the affected appliances. The MITRE ATT&CK framework categorizes this vulnerability under the tactic of Execution (TA0002) and the technique of Exploitation for Client Execution (T1203).

Exploitation in the Wild

CVE-2021-20038 has been actively exploited in the wild. Attackers have been targeting organizations using the affected SonicWall SMA 100 series appliances. Indicators of Compromise (IOCs) include unusual HTTP requests, unexpected system behavior, and unauthorized code execution. The vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog, highlighting its active exploitation and the significant risk it poses.

APT Groups using this vulnerability

While specific APT groups exploiting this vulnerability have not been publicly identified, the critical nature and active exploitation suggest that it could be leveraged by sophisticated threat actors. Organizations in sectors such as finance, healthcare, and government are particularly at risk, as these sectors are often targeted by APT groups.

Affected Product Versions

The vulnerability affects the following SonicWall SMA 100 series appliances: SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v. The affected firmware versions include 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv, and earlier versions.

Workaround and Mitigation

To mitigate the risk posed by CVE-2021-20038, organizations should take the following steps:

Apply Patches: SonicWall has released patches for the affected firmware versions. It is crucial to apply these updates immediately to mitigate the risk.

Network Segmentation: Isolate vulnerable appliances from critical network segments to limit potential damage.

Monitor Traffic: Implement monitoring to detect and respond to suspicious activity targeting the affected appliances.

References

For further information, please refer to the following references and advisories:

NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2021-20038

SonicWall Security Advisory: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026

Exploit Code: https://github.com/jbaines-r7/badblood

Rapid7 Blog Post: https://www.rapid7.com/blog/post/2022/01/11/cve-2021-20038-42-sonicwall-sma-100-multiple-vulnerabilities-fixed-2/

BleepingComputer Article: https://www.bleepingcomputer.com/news/security/attackers-now-actively-targeting-critical-sonicwall-rce-bug/

CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Exploit Code: https://github.com/ExploitPwner/CVE-2021-20038-Mass-RCE-SonicWall

Metasploit Module: https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/linux/http/sonicwall_cve_2021_20039.rb

Rescana is here for you

At Rescana, we understand the critical importance of protecting your organization from cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform helps you identify, assess, and mitigate vulnerabilities in your environment. We are committed to providing you with the tools and expertise needed to stay ahead of emerging threats. If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com.

6 views0 comments

Comments

Rated 0 out of 5 stars.
No ratings yet

Add a rating
bottom of page