SonicWall Advises Prompt Firmware Upgrade to Correct Critical Vulnerabilities in SMA 100 Series Appliances

December 10, 2021 Christine Garcia HIPAA News

SonicWall has launched a new software program for its Secure Mobile Access (SMA) 100 series remote access appliances that correct 8 vulnerabilities which include 2 critical and 4 high-severity vulnerabilities.

Threat actors are exploiting vulnerabilities in SonicWall appliances previously in ransomware attacks. Although there are no reported cases of exploiting the most recent batch of vulnerabilities in the wild presently, there is a great risk of these vulnerabilities being taken advantage of when the firmware is not updated immediately. SMA 100 series appliances consist of the SonicWall SMA 200, 210, 400, 410, and 500v secure access gateway products, which are all affected.

The most serious vulnerabilities are buffer overflow concerns which an unauthenticated attacker can exploit remotely to execute code on vulnerable appliances. These are

  • CVE-2021-20038 has a CVSS score of 9.8. It is an unauthenticated stack-based buffer overflow vulnerability
  • CVE-2021-20045 has a CVSS score of 9.4. It covers several unauthenticated file explorer heap-dependent and stack-based buffer overflow problems.

The 4 high severity vulnerabilities are as follows:

  • CVE-2021-20043 has a CVSS score of 8.8. It is a heap-dependent buffer overflow vulnerability that allows remote code execution. However, an attacker must be authenticated.
  • CVE-2021-20041 has a CVSS score of 7.5. It is an unauthenticated CPU exhaustion vulnerability.
  • CVE-2021-20039 has a CVSS score of 7.2. It is an authenticated command injection vulnerability.
  • CVE-2021-20044 has a CVSS score of 7.2. It is a post-authentication remote code execution vulnerability.

Two medium-severity vulnerabilities were also fixed:

  • CVE-2021-20040 has a CVSS score of 6.5. It is an unauthenticated file upload path traversal vulnerability.
  • CVE-2021-20042 has a CVSS score of 6.3. It is an unauthenticated ‘confused deputy’ vulnerability.

The software update is accessible at MySonicWall.com and must be implemented immediately to avoid exploitation. SonicWall says no temporary mitigations can be used to avoid vulnerability exploitation.

About Christine Garcia 1298 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA
Twitter