Vulnerabilities in VPNs get aggressively exploited (see CVE 2019-11510 and CVE 2018-13379 among recent examples – the Pulse Secure and Fortinet VPN vulnerabilies were among the top 10 most exploited bugs last year. A critical new pre-auth RCE bug in SonicWall’s Secure Mobile Access (SMA) 100-series VPN appliances deserves immediate attention as a result – with it giving an unauthenticated, remote user root access.
The SonicWall SMA vulnerability, allocated CVE-2021-20038, was patched Tuesday (December 8, 2021) as one of a flurry of fixes from the security vendor. It comes after the Santa Clara-based company also suffered a “coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products” back in April 2021. That incident triggered an investigation that later saw it confirming a critical zero-day in its SMA 200, 210, 400, 410, 500v products.
Critical SonicWall vulnerability CVE-2021-20038: Buffer overflow ftw...
With reference to the new pre-auth RCE bug, SonicWall said December 7: “A critical severity vulnerability (CVSS 9.8) in SMA 100 appliances, which includes SMA 200, 210, 400, 410 and 500v could allow a remote unauthenticated attacker to cause Stack-based Buffer Overflow and would result in code execution as the nobody user in the SMA100 appliance. It was noticed that the SMA 100 users with licensed/enabled WAF are impacted by this vulnerability”. SonicWall added: “The Vulnerability is due to the SonicWall SMA SSLVPN Apache httpd server GET method of mod_cgi module environment variables use a single stack-based buffer using `strcat`. This allows remote attacker to cause Stack-based Buffer Overflow and would result in code execution.”
It said it has seen no evidence of exploitation in the wild, but that is unlikely to be the case for long as attackers reverse engineer the patch and start scanning for vulnerable, exposed systems. As well as patching rapidly, users should take a long hard look at what’s externally enabled on their firewall; use of Shodan is a good way to see what attackers see. Tools like Infection Monkey can also be used to run breach and attack simulation to see how attackers might exploit current network security gaps; or Bloodhound to identify hidden and often unintended relationships within an Active Directory environment then prevent them from being exploited by attackers.
As the NSA and NCSC noted in a joint advisory this summer. “Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options challenging the ability of organization to conduct rigorous patch management.” Many are still struggling. The typical outcome of exposure is a crippling ransomware attack.
Identify and patch asap if you can.