Attackers are actively targeting critical RCE bug in SonicWall Secure Mobile Access

2 years ago 132
BOOK THIS SPACE FOR AD
ARTICLE AD

Threat actors are actively exploiting a critical flaw (CVE-2021-20038) in SonicWall’s Secure Mobile Access (SMA) gateways addressed in December.

Threat actors are actively exploiting a critical flaw, tracked as CVE-2021-20038, in SonicWall’s Secure Mobile Access (SMA) gateways addressed by the vendor in December.

The vulnerability is an unauthenticated stack-based buffer overflow that was reported by Jacob Baines, lead security researcher at Rapid7. The CVE-2021-20038 vulnerability impacts SMA 100 series appliances (including SMA 200, 210, 400, 410, and 500v) even when the web application firewall (WAF) is enabled.

A remote attacker can exploit the vulnerability to execute arbitrary code as the ‘nobody’ user in compromised SonicWall appliances.

In early December, security vendor SonicWall urged customers using SMA 100 series appliances to apply security patches that address multiple security vulnerabilities, some of which have been rated as critical.

The most severe vulnerabilities addressed by SonicWall are two critical stack-based buffer overflow vulnerabilities tracked as CVE-2021-20038 and CVE-2021-20045 respectively. A remote attacker can trigger the two vulnerabilities to potentially execute as the ‘nobody’ user in compromised appliances.

“A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server’s mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a ‘nobody’ user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.” reads the advisory for the CVE-2021-20038 flaw.

The news of the exploitation of the issue in the wild was confirmed by the security firm NCC Group.

Some attempts itw on CVE-2021-20038 (SonicWall SMA RCE). Also some password spraying of default passwords from the past few days

Remember to update AND change default passwords 🙂 pic.twitter.com/WyDIXVKb4m

— Rich Warren (@buffaloverflow) January 24, 2022

Experts also warned of some password spraying attacks attempting to compromise devices using default passwords.

The attacks spotted by the researchers don’t seem to be the result of a massive coordinated attack, some threat actors are only opportunistic attempts to trigger the flaw.

None of the observed attacks were successful.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, SonicWall Secure Mobile Access)




Read Entire Article