{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2021-066.pdf"
    },
    "title": "SonicWall Critical Vulnerabilities",
    "serial_number": "2021-066",
    "publish_date": "10-12-2021 10:28:00",
    "description": "On December 7th, SonicWall released security patches to address several security vulnerabilities. This list includes a critical unauthenticated stack-based buffer overflow vulnerability (CVE-2021-20038) with a CVSS score of 9.8 out of 10. If exploited, it could allow a remote unauthenticated attacker to execute code as a \"nobody\" user in the appliance.<br>There is another group of vulnerabilities, collectively tracked as CVE-2021-20045, which has a combined critical CVSS score of 9.4 out of 10. They could allow a remote unauthenticated attacker to cause heap-based and stack-based buffer overflow that would result in code execution as the \"nobody\" user.<br>According to SonicWall, there is no evidence that this vulnerability is being exploited in the wild.",
    "url_title": "2021-066",
    "content_markdown": "---\ntitle: 'SonicWall Critical Vulnerabilities'\nversion: '1.0'\nnumber: '2021-066'\ndate: 'December 10, 2021'\n---\n\n_History:_\n\n* _10/12/2021 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn December 7th, SonicWall released security patches to address several security vulnerabilities [1]. This list includes a critical unauthenticated stack-based buffer overflow vulnerability (CVE-2021-20038) with a CVSS score of 9.8 out of 10. If exploited, it could allow a remote unauthenticated attacker to execute code as a `nobody` user in the appliance.\n\nThere is another group of vulnerabilities, collectively tracked as CVE-2021-20045, which has a combined critical CVSS score of 9.4 out of 10. They could allow a remote unauthenticated attacker to cause heap-based and stack-based buffer overflow that would result in code execution as the `nobody` user [2].\n\nAccording to SonicWall, there is no evidence that this vulnerability is being exploited in the wild.\n\n# Technical Details\n\n## CVE-2021-20038\n\nThis vulnerability is due to the SonicWall SMA SSLVPN Apache HTTPD server GET method of `mod_cgi` module environment variables use a single stack-based buffer using `strcat` [1].\n\n## CVE-2021-20045\n\nThis vulnerability is due to the `sonicfiles` `RAC_COPY_TO` (`RacNumber 36`) method which allows users to upload files to an SMB share and can be called without any authentication. `RacNumber 36` of the `sonicfiles` API maps to the `upload_file` Python method and this is associated with `filexplorer` binary. This is a custom program written in C++ which is vulnerable to a number of memory safety issues.\n\n# Affected Products\n\nThis vulnerability affects SMA100 series:\n\n- SMA 200, 210, 400, 410 and 500v products versions `9.0.0.11-31sv*` and earlier, `10.2.0.8-37sv`, `10.2.1.1-19sv`, `10.2.1.2-24sv` and earlier.\n- SMA 100 series appliances with WAF enabled are also impacted by the majority of these vulnerabilities.\n\n# Recommendations\n\nSupport for `9.0.0` firmware ended on 10/31/2021. Customers still using that firmware are requested to upgrade to the latest `10.2.x` versions.\n\nCERT-EU strongly recommends to upgrade your affected appliance(s) to the fixed versions of the firmware (SMA `10.2.0.9-41sv`, `10.2.1.3-27sv`).\n\n# References\n\n[1] <https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026>\n\n[2] <https://threatpost.com/critical-sonicwall-vpn-bugs-appliance-takeover/176869/>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>10/12/2021 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On December 7th, SonicWall released security patches to address several security vulnerabilities [1]. This list includes a critical unauthenticated stack-based buffer overflow vulnerability (CVE-2021-20038) with a CVSS score of 9.8 out of 10. If exploited, it could allow a remote unauthenticated attacker to execute code as a <code>nobody</code> user in the appliance.</p><p>There is another group of vulnerabilities, collectively tracked as CVE-2021-20045, which has a combined critical CVSS score of 9.4 out of 10. They could allow a remote unauthenticated attacker to cause heap-based and stack-based buffer overflow that would result in code execution as the <code>nobody</code> user [2].</p><p>According to SonicWall, there is no evidence that this vulnerability is being exploited in the wild.</p><h2 id=\"technical-details\">Technical Details</h2><h3 id=\"cve-2021-20038\">CVE-2021-20038</h3><p>This vulnerability is due to the SonicWall SMA SSLVPN Apache HTTPD server GET method of <code>mod_cgi</code> module environment variables use a single stack-based buffer using <code>strcat</code> [1].</p><h3 id=\"cve-2021-20045\">CVE-2021-20045</h3><p>This vulnerability is due to the <code>sonicfiles</code> <code>RAC_COPY_TO</code> (<code>RacNumber 36</code>) method which allows users to upload files to an SMB share and can be called without any authentication. <code>RacNumber 36</code> of the <code>sonicfiles</code> API maps to the <code>upload_file</code> Python method and this is associated with <code>filexplorer</code> binary. This is a custom program written in C++ which is vulnerable to a number of memory safety issues.</p><h2 id=\"affected-products\">Affected Products</h2><p>This vulnerability affects SMA100 series:</p><ul><li>SMA 200, 210, 400, 410 and 500v products versions <code>9.0.0.11-31sv*</code> and earlier, <code>10.2.0.8-37sv</code>, <code>10.2.1.1-19sv</code>, <code>10.2.1.2-24sv</code> and earlier.</li><li>SMA 100 series appliances with WAF enabled are also impacted by the majority of these vulnerabilities.</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>Support for <code>9.0.0</code> firmware ended on 10/31/2021. Customers still using that firmware are requested to upgrade to the latest <code>10.2.x</code> versions.</p><p>CERT-EU strongly recommends to upgrade your affected appliance(s) to the fixed versions of the firmware (SMA <code>10.2.0.9-41sv</code>, <code>10.2.1.3-27sv</code>).</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026\">https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://threatpost.com/critical-sonicwall-vpn-bugs-appliance-takeover/176869/\">https://threatpost.com/critical-sonicwall-vpn-bugs-appliance-takeover/176869/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}