One of the major cybersecurity stories that broke last week was related to a critical bug in SonicWall’s SMA 100 series appliances. SonicWall ‘strongly urged’ all organisations using SMA 100 series appliances to immediately patch them against multiple security flaws rated with CVSS scores ranging from medium to critical. The highest severity flaws patched by SonicWall last week were CVE-2021-20038 and CVE-2021-20045, two critical Stack-based buffer overflow vulnerabilities that could allow remote unauthenticated attackers execute as the ‘nobody’ user in compromised appliances.
Other bugs patched by the company last Tuesday enable authenticated threat actors to gain remote code execution, inject arbitrary commands, or upload crafted web pages and files to any directory in the appliance following successful exploitation. However, the most dangerous one if left unpatched is CVE-2021-20039. This high severity security issue can let authenticated attackers inject arbitrary commands as the root user leading to a remote takeover of unpatched devices.
John Goodacre, UKRI Challenge Director Digital Security by Design and Professor of Computer Architectures at Manchester University, took part in a short Q&A, which resulted in 7 pieces of coverage across the ISMG estate of publications
“Gaining root access enables an attacker to gain complete control of a device. As the SonicWall devices are secure gateways designed to provide secure remote access then an attacker could be interested in compromising them to gain access to systems.”
“It is important that this be patched.”
“Exploiting to gain control in devices but also of concern given the history that Mandiant have highlighted them being used to distribute ransomware and the warning issued here to release these.”
“As the vulnerability does create root access this is possible, but something can be cleaned up.”
“In addition to patching practices, the future of digital security should include devices that make the vulnerabilities blocked by design. The UK Government has an initiative called Digital Security by Design working across industry and academia to achieve such a future.”
Follow Innovate UK