Over the course of routine security research, Rapid7 researcher Jake Baines discovered and reported five vulnerabilities involving the SonicWall Secure Mobile Access (SMA) 100 series of devices, which includes SMA 200, 210, 400, 410, and 500v. The most serious of these issues can lead to unauthenticated remote code execution (RCE) on affected devices. We reported these issues to SonicWall, who published software updates and have released fixes to customers and channel partners on December 7, 2021. Rapid7 urges users of the SonicWall SMA 100 series to apply these updates as soon as possible. The table below summarizes the issues found.
CVE IDCWE ID
CVSS
Fix
CVE-2021-20038
CWE-121: Stack-Based Buffer Overflow
9.8
SNWLID-2021-0026
CVE-2021-20039
CWE-78: Improper Neutralization of Special Elements used in an OS Command (“OS Command Injection”)
7.2
SNWLID-2021-0026
CVE-2021-20040
CWE-23: Relative Path Traversal
6.5
SNWLID-2021-0026
CVE-2021-20041
Support the originator by clicking the read the rest link below.
){kind=link}