Flash Notice: Threat Actors Target SonicWall RCE Vulnerability (CVE-2021-20038)

Written by Marketing | Jan 26, 2022 2:27:28 PM

Overview of cve-2021-20038 exploit

New exploits of a critical vulnerability (CVE-2021-20038) affecting SonicWall’s Secure Mobile Access (SMA) gateway was discovered yesterday. The vulnerability is an unauthenticated stack-based buffer overflow which impacts SMA 100 series appliances (including SMA 200, 210, 400, 410, and 500v). The vulnerability was addressed by SonicWall in December 2021, but attackers are still targeting the gateway.

Exploitation of CVE-2021-20038 allows remote unauthenticated attackers to execute code as the ‘nobody’ user in compromised SonicWall appliances. The vulnerability has a Common Vulnerability Scoring System score (CVSS) of 9.8 and allows attackers to overwrite several security-critical data on an execution stack that can lead to arbitrary code execution. CVE-2021-20038 could allow attackers to get complete control of a device or virtual machine. After gaining control, they would have the capability of installing malware to intercept authentication material from authorized users.

The issue found in the device stems from its web server - a slightly modified version of the Apache httpd server. Additionally, attackers are also trying to brute force their way in by password spraying known SonicWall appliance default passwords. There aren’t any temporary mitigations for the vulnerability, so SonicWall urges customers to apply patches as soon as possible. This vulnerability affects versions 10.2.1.1-19sv, 10.2.0.8-37sv, and 10.2.1.2-24sv. SonicWall stated that they are actively monitoring activity against CVE-2021-20038 and urges all organizations regardless of security products to be consistent and thorough with their patching policy and execution.

How Avertium is Protecting Our Customers:

Avertium offers EDR endpoint protection through SentinelOne, Sophos, and Microsoft Defender.

- SentinelOne prevents threats and extends protection from the endpoint to beyond. Find threats and eliminate blind spots with autonomous, real time, index-free threat ingestion and analysis that supports structured, unstructured, and semi-structured data.

If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your own team, outsourced solutions can help you bridge the gap. Avertium offers Vulnerability Management to provide a deeper understanding and control over organizational information security risks.
Avertium offers Zero Trust Network as a Service (ZTNaaS) for any organization that wants to control their attack surface. The zero-trust security model delivers exactly what the name promises: it's an IT security concept that specifies no access is allowed until the successful completion of authentication and authorization processes.

Avertium's recommendations

SonicWall SMA 100 users are recommended to log in to their MySonicWall.com accounts to upgrade the firmware versions SonicWall outlined in their advisory.
Patch all devices. Please go to SonicWall’s security advisory for details.
Due to password spraying, please change your passwords to strong/hard passwords
Monitor network traffic regularly
Provide training for IT staff on how to handle IoT medical devices

INDICATOR'S OF COMPROMISE (IOCS):

At this time, there are no known IoCs. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, reach out to your Avertium Service Delivery Manager or Account Executive.

references

Critical SonicWall NAC Vulnerability Stems from Apache Mods | Threatpost

Attackers now actively targeting critical SonicWall RCE bug (bleepingcomputer.com)

CVE-2021-20038..42: SonicWall SMA 100 Multiple Vulnerabilities (FIXED) | Rapid7 Blog

Security Advisory (sonicwall.com)