Attackers now actively targeting critical SonicWall RCE bug

A critical severity vulnerability impacting SonicWall's Secure Mobile Access (SMA) gateways addressed last month is now targeted in ongoing exploitation attempts.

The bug, found by Rapid7 Lead Security Researcher Jacob Baines, is an unauthenticated stack-based buffer overflow tracked as CVE-2021-20038 that impacts SMA 100 series appliances (including SMA 200, 210, 400, 410, and 500v) even when the web application firewall (WAF) is enabled.

Successful exploitation can let remote unauthenticated attackers execute code as the 'nobody' user in compromised SonicWall appliances.

"There are no temporary mitigations. SonicWall urges impacted customers to implement applicable patches as soon as possible," the company said in December after releasing CVE-2021-20038 security updates adding that it found no evidence the bug was exploited in the wild at the time.

However, today, Richard Warren, a Principal Security Consultant at NCC Group, said that threat actors are now attempting to exploit the vulnerability in the wild.

Warren added that attackers are also trying to brute force their way in by password spraying known SonicWall appliances default passwords.

"Some attempts itw on CVE-2021-20038 (SonicWall SMA RCE). Also some password spraying of default passwords from the past few days. Remember to update AND change default password," the security researcher tweeted today.

"They don't look successful as far as I can tell," Warren also told BleepingComputer. "Using that exploit you need to make a huge number of requests (like a million). They are probably just trying their luck or don't understand the exploit."

In a statement sent after this article was published, a SonicWall spokesperson told BleepingComputer that the company is yet to observe successful CVE-2021-20038 exploitation attempts targeting SMA 100 appliances.

SonicWall PSIRT is actively monitoring activity against all critical CVEs, including CVE-2021-20038. Currently, SonicWall PSIRT has not observed any successful active exploitations attempts against CVE-2021-20038, nor have any reports been made of successful exploitation. SonicWall patched the vulnerability in early December 2021 and communicated guidance to any impacted customers or partners. SonicWall continues to urge all organizations, regardless of security products, to be consistent and thorough in patching policy and execution. — SonicWall

Patch now to defend against attackers

While these ongoing attacks haven't yet been successful, SonicWall customers are advised to patch their SMA 100 appliances to block hacking attempts.

SMA 100 users are recommended to log in to their MySonicWall.com accounts to upgrade the firmware to versions outlined in this SonicWall PSIRT Advisory.

Assistance on how to upgrade the firmware is available in this knowledgebase article or by contacting SonicWall's support.

SonicWall SMA 100 appliances have been targeted in multiple campaigns since the start of 2021, including in attacks coordinated by ransomware gangs.

For instance, the CVE-2021-20016 SMA 100 zero-day was used to deploy FiveHands ransomware starting with January 2021 when it was also exploited in attacks against SonicWall's internal systems. Before being patched two weeks later, in early February 2021, the same flaw was also abused indiscriminately in the wild.

In July, SonicWall warned of the increased risk of ransomware attacks targeting unpatched end-of-life SMA 100 series and Secure Remote Access products. However, CrowdStrike, Coveware security researchers, and CISA warned that HelloKitty ransomware operators were already targeting SonicWall appliances.

Over 500,000 business customers from 215 countries are using SonicWall products worldwide, many of them deployed on the networks of government agencies and the world's largest companies.

Update: Corrected CVE-2021-20016 patch release interval.