The highest severity flaws patched by SonicWall last week were CVE-2021-20038 and CVE-2021-20045, two critical Stack-based buffer overflow vulnerabilities that could allow remote unauthenticated attackers execute as the ‘nobody’ user in compromised appliances.
Other bugs patched by the company last Tuesday enable authenticated threat actors to gain remote code execution, inject arbitrary commands, or upload crafted web pages and files to any directory in the appliance following successful exploitation. However, the most dangerous one if left unpatched is CVE-2021-20039. This high severity security issue can let authenticated attackers inject arbitrary commands as the root user leading to a remote takeover of unpatched devices.
John Goodacre, UKRI Challenge Director Digital Security by Design and Professor of Computer Architectures at Manchester University, took part in a short Q&A, which resulted in 7 pieces of coverage across the ISMG estate of publications
- The advisory says there have been no signs of exploitation in the wild. However, which type of threat actors may be interested in attacking by exploiting these vulnerabilities?
“Gaining root access enables an attacker to gain complete control of a device. As the SonicWall devices are secure gateways designed to provide secure remote access then an attacker could be interested in compromising them to gain access to systems.”
- Do you think future exploitation is on the cards?
“It is important that this be patched.”
- Why do you think threat actors will be interested in the exploitation of these vulnerabilities?
“Exploiting to gain control in devices but also of concern given the history that Mandiant have highlighted them being used to distribute ransomware and the warning issued here to release these.”
- Can these vulnerabilities be used to create backdoor and persistence?
“As the vulnerability does create root access this is possible, but something can be cleaned up.”
- What’s your take on this whole vulnerability fix?
“In addition to patching practices, the future of digital security should include devices that make the vulnerabilities blocked by design. The UK Government has an initiative called Digital Security by Design working across industry and academia to achieve such a future.”