Attempts to exploit a severe severity vulnerability affecting SonicWall’s Secure Mobile Access (SMA) gateways that were patched last month are now being made. The flaw was identified by Rapid7 Lead Security Researcher Jacob Baines. It is an unauthenticated stack-based buffer overflow, tracked as CVE-2021-20038, which affects SMA 100 series appliances (including SMA 200, 210, 400, 410, and 500v) even if the web application firewall (WAF) is activated.
Remote unauthenticated attackers can execute code as the ‘nobody’ user in affected SonicWall appliances if the exploit is successful. There are no mitigations in place for the time being. SonicWall advised vulnerable customers to apply patches as soon as possible after issuing CVE-2021-20038 security upgrades in December, noting that it had discovered no indication the flaw had been exploited in the wild at the time.
According to Richard Warren, a Principal Security Consultant at NCC Group, threat actors are currently attempting to attack the vulnerability in the wild. He further said that attackers are also attempting to brute force their way in by password spraying known SonicWall appliance default passwords.
“Some attempts itw on CVE-2021-20038 (SonicWall SMA RCE). Also some password spraying of default passwords from the past few days. Remember to update AND change default password,” as per the security researcher’s tweet. He also said that they don’t look successful. “Using that exploit you need to make a huge number of requests (like a million). They are probably just trying their luck or don’t understand the exploit.”
While these continuous attacks have yet to be successful, SonicWall customers should patch their SMA 100 appliances to prevent hacking attempts. Users of the SMA 100 should log in to their MySonicWall.com accounts to upgrade their firmware to the versions listed in this SonicWall PSIRT Advisory. This knowledgebase article or SonicWall’s support can provide instructions on how to upgrade the firmware.