Threat actors are actively exploiting a critical flaw, tracked as CVE-2021-20038, in SonicWall’s Secure Mobile Access (SMA) gateways addressed by the vendor in December.
The vulnerability is an unauthenticated stack-based buffer overflow that was reported by Jacob Baines, lead security researcher at Rapid7. The CVE-2021-20038 vulnerability impacts SMA 100 series appliances (including SMA 200, 210, 400, 410, and 500v) even when the web application firewall (WAF) is enabled.
A remote attacker can exploit the vulnerability to execute arbitrary code as the ‘nobody’ user in compromised SonicWall appliances.
In early December, security vendor SonicWall urged customers using SMA 100 series appliances to apply security patches that address multiple security vulnerabilities, some of which have been rated as critical.
The most severe vulnerabilities addressed by SonicWall are two critical stack-based buffer overflow vulnerabilities tracked as CVE-2021-20038 and CVE-2021-20045 respectively. A remote attacker can trigger the two vulnerabilities to potentially execute as the ‘nobody’ user in compromised appliances.
“A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server’s mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a ‘nobody’ user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.” reads the advisory for the CVE-2021-20038 flaw.
The news of the exploitation of the issue in the wild was confirmed by the security firm NCC Group.
Experts also warned of some password spraying attacks attempting to compromise devices using default passwords.
The attacks spotted by the researchers don’t seem to be the result of a massive coordinated attack, some threat actors are only opportunistic attempts to trigger the flaw.
None of the observed attacks were successful.
(SecurityAffairs – hacking, SonicWall Secure Mobile Access)