Critical SonicWall RCE Bug Actively Targeted by Threat Actors
Patched in the Past, Exploited in the Present.
A critical SonicWall RCE bug is now on the radar of hackers, as these are massively trying to exploit it. The vulnerability is related to the Secure Mobile Access (SMA) gateways of SonicWall and was addressed by the company in the month of December 2021 for which CVE-2021-20038 was assigned.
More Details about the SonicWall RCE Bug
Security researcher Jacob Baines from Rapid7 was the one that identified this vulnerability that can be basically described as an unauthenticated stack-based buffer overflow. The impacted appliances were SMA 100 series and here also SMA 200, 210, 400, 410, and 500v can be mentioned. This bug has an impact on the mentioned instances no matter if the web application firewall (WAF) is on.
The danger posed by this vulnerability lies in the fact that if threat actors successfully manage to exploit it would lead to code execution in the compromised appliances.
Recently, Richard Warren from NCC Group tweeted about this matter underlining the vulnerability’s massive exploitation by threat actors. It seems that they also lead brute force attacks through a technique of password spraying the default passwords.
Some attempts itw on CVE-2021-20038 (SonicWall SMA RCE). Also some password spraying of default passwords from the past few days
Remember to update AND change default passwords 🙂 pic.twitter.com/WyDIXVKb4m
— Rich Warren (@buffaloverflow) January 24, 2022
What Should Be Done for Now?
Following the classification of the vulnerability under CVE-2021-20038, SonicWall declared in December that
There are no temporary mitigations. SonicWall urges impacted customers to implement applicable patches as soon as possible.
Therefore, all customers should consider applying the necessary patches as soon as possible for their SMA 100 appliances.
In the SonicWall PSIRT Advisory, there is specified to which firmware version customers should upgrade in order to remain well safeguarded. In order to do this, customers should access their SonicWall account at MySonicWall.com. and follow the instructions in the advisory.
However, if they do not manage to upgrade to the mentioned firmware, there is a SonicWall support team that can assist them or they can read the instructions from this knowledge base provided by the company.
SonicWall SMA 100 appliances, not Targeted for the First Time
According to BleepingComputer, SMA 100 zero-day dubbed as CVE-2021-20016 was leveraged for the distributing of FiveHands ransomware beginning with January 2021. It’s known that the bug was addressed and patched two weeks later.
During the month of July 2021, unpatched SMA 100 series and Secure Remote Access products were at risk of becoming targets in a wave of ransomware attacks.
We also wrote about CVE-2021-20045, and CVE-2021-20039 impacting SonicWall SMA 100 series appliances. The first was, like the one previously mentioned, a stack-based buffer overflow by means of which threat actors could execute code as a ‘nobody user’ while the second would have let hackers pose as the root users and perform arbitrary commands execution.
How to Stay Safe Using Heimdal™?
Keep your critical assets well safeguarded and updated by adopting an automated vulnerability management strategy. How? Choose our Patch & Asset Management tool, a product that will change how you look at the patching process, as it covers a broad range of patches and is able to make them ready to be deployed in less than 4 hours from the release.