SonicWall Customers Warned of Possible Attacks Exploiting Recent Vulnerability

Hackers have started targeting a recently patched vulnerability affecting SonicWall’s Secure Mobile Access (SMA) 100 series appliances, and while the attacks observed to date do not appear to have been successful, that could soon change.

The security flaw in question is CVE-2021-20038, a critical remote code execution vulnerability that SonicWall patched in December alongside several other issues impacting SMA 100 series products.

CVE-2021-20038 is a stack-based buffer overflow that can allow attackers to take complete control of a device or virtual machine running an SMA appliance.

Rapid7, whose researchers discovered the vulnerability, disclosed details earlier this month, and at least one proof-of-concept (PoC) exploit has been released by others.

Rich Warren, principal security consultant at NCC Group, warned this week that they had started seeing in-the-wild attempts to exploit CVE-2021-20038.

“The attempts so far appear to be opportunistic, non-targeted in nature and likely from unsophisticated attackers,” Warren told SecurityWeek. “So far the attacks have been unsuccessful, however as proven by the publicly available exploit and Rapid7’s write up, the vulnerability is exploitable in a real-world scenario. The exploit detailed by Rapid7 requires around 250,000 requests. So far we’ve only seen handfuls of around 3 or 4 requests at a time.”

Warren added, “In the worst case scenario, this would allow the attacker to gain remote access to the underlying VPN appliance, and the internal network access that comes with that. While the advisory states that code execution would be achieved under the ‘nobody’ user, escalation to ‘root’ is trivial, at which point the attacker would have full unfettered access to the operating system.”

SonicWall told SecurityWeek that its PSIRT is actively monitoring activity against all critical vulnerabilities and it has not observed any successful exploitation attempts targeting CVE-2021-20038. The company also pointed out that currently there are no reports of successful exploitation.

“SonicWall patched the vulnerability in early December 2021 and communicated guidance to any impacted customers or partners. SonicWall continues to urge all organizations, regardless of security products, to be consistent and thorough in patching policy and execution,” the company said in a statement.

The United States, Japan and Australia have issued warnings about the vulnerability.

Warren also highlighted that in addition to attacks targeting CVE-2021-20038, they have seen password spraying activity aimed at SonicWall appliances. Attackers are hoping that administrators have failed to change default passwords, which would enable them to gain admin access to the web application.

“There were several post-authentication RCE vulnerabilities also patched in the same update, so it’s likely that attackers are hoping to first gain admin access through password spraying before exploiting one of the post-auth vulnerabilities, which again would give them code execution on the device,” the researcher warned.

It’s not uncommon for malicious actors to target SonicWall products. Threat groups have been known to exploit both old and new vulnerabilities in their operations.

Related: SonicWall Zero-Day Exploited by Ransomware Group Before It Was Patched

Related: SonicWall Says Internal Systems Targeted by Hackers Exploiting Zero-Day Flaws

Related: SonicWall Patches Critical Vulnerability in SMA Appliances