Attacker Value
Very High
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
5

SonicWall SMA 100 Series 10.x Firmware Zero-Day Vulnerability

Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Defense Evasion
Techniques
Validation
Validated

Description

Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products. The impacted products are:

  • Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances and the SMA 500v virtual appliance

Add Assessment

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    High
Technical Analysis

Please see the Rapid7 analysis.

General Information

Exploited in the Wild

Reported by:
Technical Analysis

Threat status: Threat (actively exploited)
Attacker utility: Network pivot

Description

Update May 12, 2021: FireEye published a report this week noting that the DarkSide ransomware operators are using CVE-2021-20016 as an initial compromise vector in their extortion attacks. Recent reports have indicated that ransomware operations are targeting externally-facing corporate infrastructure—we strongly recommend keeping network pivots (including VPNs, firewalls, and internet-facing load balancers) up-to-date on a short patch cycle.

On January 22, 2021, SonicWall published a security alert explaining that they had been compromised by unknown threat actors utilizing probable zero-day vulnerabilities in their own products. Through the subsequent week, SonicWall narrowed down the affected products to SMA 100 series appliances running firmware versions 10.x.

On January 31, 2021, NCC Group tweeted that they had observed “indiscriminate” exploitation of a zero-day vulnerability in the wild, potentially the one identified by SonicWall. This vulnerability is being tracked as CVE-2021-20016, an SQL injection that allows remote, unauthenticated attackers access to credential and session information. More information can be found in the SonicWall security advisory.

On February 3, 2021, SonicWall released SMA 100 series firmware version 10.2.0.5-29sv to patch CVE-2021-20016. Rapid7 urges SonicWall customers to upgrade immediately, as CVE-2021-20016 is considered a widespread threat due to NCC Group’s findings.

Affected products

Affected SMA 100 Devices with 10.x Firmware that Require the Critical Patch:

  • Physical Appliances: SMA 200, SMA 210, SMA 400, SMA 410
  • Virtual Appliances: SMA 500v (Azure, AWS, ESXi, HyperV)

Rapid7 analysis

Web path /cgi-bin contains numerous ELF binaries, some even SUID-root. The web interface is built on Apache and uses these binaries in conjunction with an SQLite backend.

root@sslvpn:/usr/src/EasyAccess/www/cgi-bin # ls -l
total 7330
-rwxr-xr-x 1 root root  17664 Feb  3 07:16 DEARegister
-rwxr-xr-x 1 root root     52 Feb  3 07:16 DEARegister.html
-rwxr-xr-x 1 root root   5163 Feb  3 07:16 FileSharesJavaApplet.html
-rwxr-xr-x 1 root root   1779 Feb  3 07:16 FileSharesJavaAppletLauncher.html
-rwxr-xr-x 1 root root   3424 Feb  3 07:16 HTTPReverseProxy.class
-rwxr-xr-x 1 root root   7331 Feb  3 07:16 MeetingInfo.html
-rwxr-xr-x 1 root root   2712 Feb  3 07:16 SNWL-COMMON-MIB.MIB
-rwxr-xr-x 1 root root   4856 Feb  3 07:16 SNWL-SSLVPN-MIB.MIB
-rwxr-xr-x 1 root root   3178 Feb  3 07:16 SONICWALL-SMI.MIB
-rwsr-sr-x 1 root root   5368 Feb  3 07:16 SSLVPNState.xml
-rwxr-xr-x 1 root root  10993 Feb  3 07:16 VirtualMeeting.html
-rwxr-xr-x 1 root root   2772 Feb  3 07:16 VirtualMeetingPlugin.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 about
-rwxr-xr-x 1 root root  61711 Feb  3 07:16 about.html
-rwsr-sr-x 1 root root  17656 Feb  3 07:16 activeusers
-rwxr-xr-x 1 root root   4285 Feb  3 07:16 activeusers1.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 addDevice
-rwxr-xr-x 1 root root   3694 Feb  3 07:16 addDevice1.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 addDevicePolicy
-rwxr-xr-x 1 root root   2973 Feb  3 07:16 addDevicePolicy.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 addclientroutes
-rwxr-xr-x 1 root root   4200 Feb  3 07:16 addclientroutes1.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 adddefaddr
-rwxr-xr-x 1 root root   4119 Feb  3 07:16 adddefaddr1.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 adddefbrowser
-rwxr-xr-x 1 root root   3968 Feb  3 07:16 adddefbrowser1.html
-rwxr-xr-x 1 root root  38136 Feb  3 07:16 adddomain
-rwxr-xr-x 1 root root  73801 Feb  3 07:16 adddomain1.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 addgroup
-rwxr-xr-x 1 root root   3354 Feb  3 07:16 addgroup1.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 addhosts
-rwxr-xr-x 1 root root   2460 Feb  3 07:16 addhosts1.html
-rwxr-xr-x 1 root root  21752 Feb  3 07:16 addpolicy
-rwxr-xr-x 1 root root  31509 Feb  3 07:16 addpolicy1.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 addresource
-rwxr-xr-x 1 root root   2923 Feb  3 07:16 addresource1.html
-rwxr-xr-x 1 root root  10697 Feb  3 07:16 addresourceaddr1.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 addresourceaddrs
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 addstaticroutes
-rwxr-xr-x 1 root root   3438 Feb  3 07:16 addstaticroutes1.html
-rwxr-xr-x 1 root root     61 Feb  3 07:16 addstaticroutes2.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 adduser
-rwxr-xr-x 1 root root   6714 Feb  3 07:16 adduser1.html
-rwxr-xr-x 1 root root   2569 Feb  3 07:16 adduser2.html
-rwxr-xr-x 1 root root   5368 Feb  3 07:16 adminHelp
-rwxr-xr-x 1 root root    509 Feb  3 07:16 adminHelp.html
-rwxr-xr-x 1 root root   5368 Feb  3 07:16 adminHelpBody
-rwxr-xr-x 1 root root 101369 Feb  3 07:16 adminHelpBody.html
-rwxr-xr-x 1 root root  14088 Feb  3 07:16 analyzer
-rwxr-xr-x 1 root root   3217 Feb  3 07:16 analyzer1.html
-rwxr-xr-x 1 root root   2905 Feb  3 07:16 analyzer2.html
-rwxr-xr-x 1 root root   5368 Feb  3 07:16 appOffloadMenu
-rwxr-xr-x 1 root root   4946 Feb  3 07:16 appOffloadMenu.html
-rwxr-xr-x 1 root root   1218 Feb  3 07:16 appOffloadRedirect.html
-rwsr-sr-x 1 root root  34824 Feb  3 07:16 backup
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 backupcode
-rwxr-xr-x 1 root root   1367 Feb  3 07:16 backupcode1.html
-rwxr-xr-x 1 root root   9468 Feb  3 07:16 bandwidthTest
-rwxr-xr-x 1 root root  17449 Feb  3 07:16 bandwidthTest.html
-rwxr-xr-x 1 root root  17656 Feb  3 07:16 bookmarkDetails
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 bookmarks
-rwxr-xr-x 1 root root   3541 Feb  3 07:16 bookmarks1.html
-rwxr-xr-x 1 root root    403 Feb  3 07:16 bookmarks2.html
-rwsr-sr-x 1 root root  34824 Feb  3 07:16 boot
-rwxr-xr-x 1 root root   1434 Feb  3 07:16 browser_error.html
-rwxr-xr-x 1 root root  25848 Feb  3 07:16 capacityMatrixReport
-rwxr-xr-x 1 root root   5955 Feb  3 07:16 captureATPConfig.html
-rwxr-xr-x 1 root root   1839 Feb  3 07:16 captureATPLicense.html
-rwxr-xr-x 1 root root   5368 Feb  3 07:16 captureATPReport
-rwxr-xr-x 1 root root   1439 Feb  3 07:16 captureATPReport.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 captureatpconfig
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 captureatplicense
-rwxr-xr-x 1 root root  42292 Feb  3 07:16 cifslauncher
-rwxr-xr-x 1 root root   5368 Feb  3 07:16 cifslogout
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 cifsnavigate
-rwxr-xr-x 1 root root  38196 Feb  3 07:16 cifsrename
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 citrixICA
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 citrix_installer
-rwxr-xr-x 1 root root  21752 Feb  3 07:16 clientaddresses
-rwxr-xr-x 1 root root  17065 Feb  3 07:16 clientaddresses1.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 clientdownload
-rwxr-xr-x 1 root root   3176 Feb  3 07:16 clientdownload.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 clientdownloads
-rwxr-xr-x 1 root root   5936 Feb  3 07:16 clientdownloads.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 clientroutes
-rwxr-xr-x 1 root root   2167 Feb  3 07:16 clientroutes1.html
-rwxr-xr-x 1 root root    745 Feb  3 07:16 clientroutes2.html
-rwxr-xr-x 1 root root   8242 Feb  3 07:16 customLogin1.html
-rwxr-xr-x 1 root root   1368 Feb  3 07:16 customOtp1.html
-rwxr-xr-x 1 root root   3578 Feb  3 07:16 customOtp2.html
-rwxr-xr-x 1 root root   1859 Feb  3 07:16 customOtpError1.html
-rwxr-xr-x 1 root root    794 Feb  3 07:16 customOtpError2.html
-rwxr-xr-x 1 root root   1807 Feb  3 07:16 customRsaNewPin.html
-rwxr-xr-x 1 root root   2922 Feb  3 07:16 customRsaNextCode.html
-rwxr-xr-x 1 root root   1658 Feb  3 07:16 customRsaSysPin.html
-rwsr-sr-x 1 root root  14088 Feb  3 07:16 date
-rwxr-xr-x 1 root root   4003 Feb  3 07:16 date1.html
-rwxr-xr-x 1 root root    422 Feb  3 07:16 date2.html
-rwxr-xr-x 1 root root    787 Feb  3 07:16 date3.html
-rwsr-sr-x 1 root root  34824 Feb  3 07:16 deleteFw
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 deletePortalBookmark
-rwxr-xr-x 1 root root   3093 Feb  3 07:16 detect_launch.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 devicePolicies
-rwxr-xr-x 1 root root   2942 Feb  3 07:16 devicePolicies.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 deviceSettings
-rwxr-xr-x 1 root root  13240 Feb  3 07:16 deviceSettings.html
-rwxr-xr-x 1 root root  25848 Feb  3 07:16 devices
-rwxr-xr-x 1 root root  15918 Feb  3 07:16 devices1.html
-rwxr-xr-x 1 root root   1668 Feb  3 07:16 devices2.html
-rwxr-xr-x 1 root root   5368 Feb  3 07:16 diag
-rwxr-xr-x 1 root root   1833 Feb  3 07:16 diag1.html
-rwxr-xr-x 1 root root   5368 Feb  3 07:16 diagOutlook
-rwxr-xr-x 1 root root   4564 Feb  3 07:16 diagOutlook.html
-rwxr-xr-x 1 root root  46336 Feb  3 07:16 diagnostics
-rwxr-xr-x 1 root root  22903 Feb  3 07:16 diagnostics1.html
-rwxr-xr-x 1 root root   1004 Feb  3 07:16 diagnostics2.html
-rwxr-xr-x 1 root root    417 Feb  3 07:16 diagnostics3.html
-rwsr-sr-x 1 root root  17656 Feb  3 07:16 diagsettings
-rwxr-xr-x 1 root root  15291 Feb  3 07:16 diagsettings1.html
-rwxr-xr-x 1 root root   5368 Feb  3 07:16 disclaimer
-rwxr-xr-x 1 root root   1025 Feb  3 07:16 disclaimer.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 dnssettings
-rwxr-xr-x 1 root root   7652 Feb  3 07:16 dnssettings1.html
-rwxr-xr-x 1 root root   5368 Feb  3 07:16 domainList
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 domains
-rwxr-xr-x 1 root root   3698 Feb  3 07:16 domains1.html
-rwsr-sr-x 1 root root  34824 Feb  3 07:16 download
-rwxr-xr-x 1 root root  17656 Feb  3 07:16 editAdGroup
-rwxr-xr-x 1 root root   5499 Feb  3 07:16 editAdGroup.html
-rwxr-xr-x 1 root root  50424 Feb  3 07:16 editBookmark
-rwxr-xr-x 1 root root  52641 Feb  3 07:16 editBookmark.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 editRadiusGroup
-rwxr-xr-x 1 root root   2772 Feb  3 07:16 editRadiusGroup.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 editSamlGroup
-rwxr-xr-x 1 root root   2730 Feb  3 07:16 editSamlGroup.html
-rwxr-xr-x 1 root root  17656 Feb  3 07:16 editSmsTemplate
-rwxr-xr-x 1 root root   8660 Feb  3 07:16 editSmsTemplate.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 editWAFSignature
-rwxr-xr-x 1 root root   9346 Feb  3 07:16 editWAFSignature.html
-rwxr-xr-x 1 root root  50424 Feb  3 07:16 editdomain
-rwxr-xr-x 1 root root  74089 Feb  3 07:16 editdomain.html
-rwxr-xr-x 1 root root  17656 Feb  3 07:16 editepc
-rwxr-xr-x 1 root root   8253 Feb  3 07:16 editepc.html
-rwxr-xr-x 1 root root  42236 Feb  3 07:16 editglobal
-rwxr-xr-x 1 root root  18595 Feb  3 07:16 editglobal1.html
-rwxr-xr-x 1 root root  10453 Feb  3 07:16 editglobal2.html
-rwxr-xr-x 1 root root    469 Feb  3 07:16 editglobal3.html
-rwxr-xr-x 1 root root   2553 Feb  3 07:16 editglobal4.html
-rwxr-xr-x 1 root root    345 Feb  3 07:16 editglobal5.html
-rwxr-xr-x 1 root root   3749 Feb  3 07:16 editglobal6.html
-rwxr-xr-x 1 root root  58616 Feb  3 07:16 editgroups
-rwxr-xr-x 1 root root  67824 Feb  3 07:16 editgroups1.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 edithosts
-rwxr-xr-x 1 root root   2935 Feb  3 07:16 edithosts1.html
-rwxr-xr-x 1 root root  17656 Feb  3 07:16 editresource
-rwxr-xr-x 1 root root   6440 Feb  3 07:16 editresource1.html
-rwxr-xr-x 1 root root  79096 Feb  3 07:16 editusers
-rwxr-xr-x 1 root root  88218 Feb  3 07:16 editusers1.html
-rwxr-xr-x 1 root root    451 Feb  3 07:16 editusers2.html
-rwxr-xr-x 1 root root  10225 Feb  3 07:16 editusers3.html
-rwxr-xr-x 1 root root   1245 Feb  3 07:16 editusers4.html
-rwxr-xr-x 1 root root   9717 Feb  3 07:16 editusers5.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 editvpserver
-rwxr-xr-x 1 root root   2447 Feb  3 07:16 editvpserver.html
-rwxr-xr-x 1 root root   5368 Feb  3 07:16 encryptoptions
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 endpointsecurity
-rwxr-xr-x 1 root root   1769 Feb  3 07:16 endpointsecurity1.html
-rwxr-xr-x 1 root root     46 Feb  3 07:16 endpointsecurity2.html
-rwxr-xr-x 1 root root  46388 Feb  3 07:16 entirenetwork
-rwxr-xr-x 1 root root   8631 Feb  3 07:16 entirenetwork1.html
-rwxr-xr-x 1 root root    214 Feb  3 07:16 entirenetwork2.html
-rwxr-xr-x 1 root root  34040 Feb  3 07:16 epcValidate
-rwxr-xr-x 1 root root   2728 Feb  3 07:16 epcValidate.html
-rwxr-xr-x 1 root root   5368 Feb  3 07:16 epclicense
-rwxr-xr-x 1 root root   2684 Feb  3 07:16 epclicense.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 epcquarantine
-rwxr-xr-x 1 root root   2887 Feb  3 07:16 epcquarantine1.html
-rwxr-xr-x 1 root root   1938 Feb  3 07:16 epcquarantine2.html
-rwxr-xr-x 1 root root  30192 Feb  3 07:16 epcs
-rwxr-xr-x 1 root root   2392 Feb  3 07:16 epcs1.html
-rwxr-xr-x 1 root root    832 Feb  3 07:16 epcs2.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 epcsettings
-rwxr-xr-x 1 root root   7006 Feb  3 07:16 epcsettings.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 epcstatus
-rwxr-xr-x 1 root root   5852 Feb  3 07:16 epcstatus.html
-rwxr-xr-x 1 root root   1084 Feb  3 07:16 error.html
-rwxr-xr-x 1 root root   1874 Feb  3 07:16 errorAnonymous.html
-rwxr-xr-x 1 root root   1775 Feb  3 07:16 errorCSRF.html
-rwxr-xr-x 1 root root   1137 Feb  3 07:16 errorLicense.html
-rwxr-xr-x 1 root root   1113 Feb  3 07:16 errorLicense_AO.html
-rwxr-xr-x 1 root root   1142 Feb  3 07:16 error_AO.html
-rwxr-xr-x 1 root root   1176 Feb  3 07:16 errordns.html
-rwxr-xr-x 1 root root   1233 Feb  3 07:16 errordns_AO.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 etchosts
-rwxr-xr-x 1 root root   4836 Feb  3 07:16 etchosts1.html
-rwxr-xr-x 1 root root  61497 Feb  3 07:16 eua.html
-rwsr-sr-x 1 root root  50984 Feb  3 07:16 eventlog
-rwxr-xr-x 1 root root  15344 Feb  3 07:16 eventlog1.html
-rwxr-xr-x 1 root root    827 Feb  3 07:16 eventlog2.html
-rwxr-xr-x 1 root root  38196 Feb  3 07:16 explorercomputer
-rwxr-xr-x 1 root root   8893 Feb  3 07:16 explorercomputer2.html
-rwxr-xr-x 1 root root    214 Feb  3 07:16 explorercomputer3.html
-rwxr-xr-x 1 root root   3135 Feb  3 07:16 explorererror1.html
-rwxr-xr-x 1 root root   4701 Feb  3 07:16 explorererror2.html
-rwxr-xr-x 1 root root    224 Feb  3 07:16 explorererror3.html
-rwxr-xr-x 1 root root  46388 Feb  3 07:16 explorerfiles
-rwxr-xr-x 1 root root   3178 Feb  3 07:16 explorerfiles1.html
-rwxr-xr-x 1 root root   5732 Feb  3 07:16 explorerfiles2.html
-rwxr-xr-x 1 root root   2668 Feb  3 07:16 explorerfiles3.html
-rwxr-xr-x 1 root root   2720 Feb  3 07:16 explorerfiles4.html
-rwxr-xr-x 1 root root    214 Feb  3 07:16 explorerfiles5.html
-rwxr-xr-x 1 root root  66868 Feb  3 07:16 explorerlist
-rwxr-xr-x 1 root root   4692 Feb  3 07:16 explorershares.html
-rwxr-xr-x 1 root root   4781 Feb  3 07:16 explorershares0.html
-rwsr-sr-x 1 root root  29944 Feb  3 07:16 exportConfigFile
-rwsr-sr-x 1 root root  42232 Feb  3 07:16 exportDiagnostics
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 extendauthentication
-rwxr-xr-x 1 root root  30472 Feb  3 07:16 extensionsetting
-rwxr-xr-x 1 root root  16814 Feb  3 07:16 extensionsetting1.html
-rwxr-xr-x 1 root root    747 Feb  3 07:16 extensionsetting2.html
-rwxr-xr-x 1 root root   3064 Feb  3 07:16 ffdeadplugins.html
-rwxr-xr-x 1 root root  46388 Feb  3 07:16 filePermissions
-rwxr-xr-x 1 root root  21779 Feb  3 07:16 fileshare.html
-rwxr-xr-x 1 root root   1436 Feb  3 07:16 ftp-addnew1.html
-rwxr-xr-x 1 root root    985 Feb  3 07:16 ftp-addnew2.html
-rwxr-xr-x 1 root root    770 Feb  3 07:16 ftp-addnew3.html
-rwxr-xr-x 1 root root    514 Feb  3 07:16 ftp-addnew4.html
-rwxr-xr-x 1 root root  12464 Feb  3 07:16 ftp-download1.html
-rwxr-xr-x 1 root root   1799 Feb  3 07:16 ftp-rename1.html
-rwxr-xr-x 1 root root   1449 Feb  3 07:16 ftp-rename2.html
-rwxr-xr-x 1 root root   1391 Feb  3 07:16 ftp-upload1.html
-rwxr-xr-x 1 root root   1616 Feb  3 07:16 ftp-upload2.html
-rwxr-xr-x 1 root root   6089 Feb  3 07:16 ftp-upload3.html
-rwxr-xr-x 1 root root   4053 Feb  3 07:16 ftp1.html
-rwxr-xr-x 1 root root    652 Feb  3 07:16 ftp2.html
-rwxr-xr-x 1 root root    702 Feb  3 07:16 ftp3.html
-rwxr-xr-x 1 root root    456 Feb  3 07:16 ftp4.html
-rwxr-xr-x 1 root root    224 Feb  3 07:16 ftpMaxSession.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 ftplauncher
-rwsr-sr-x 1 root root   9464 Feb  3 07:16 genCert
-rwxr-xr-x 1 root root   2943 Feb  3 07:16 genCert1.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 gencsr
-rwxr-xr-x 1 root root  17656 Feb  3 07:16 geoBotAddPolicy
-rwxr-xr-x 1 root root  33742 Feb  3 07:16 geoBotAddPolicy.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 geoBotCaptcha
-rwxr-xr-x 1 root root   3509 Feb  3 07:16 geoBotCaptcha.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 geoBotLicense
-rwxr-xr-x 1 root root   2298 Feb  3 07:16 geoBotLicense.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 geoBotPolicyList
-rwxr-xr-x 1 root root   7167 Feb  3 07:16 geoBotPolicyList.html
-rwxr-xr-x 1 root root  17696 Feb  3 07:16 geoBotStatus
-rwxr-xr-x 1 root root  13889 Feb  3 07:16 geoBotStatus.html
-rwxr-xr-x 1 root root   1108 Feb  3 07:16 geoBotValidated.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 geoDetailed
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 geoipBotFltSettings
-rwxr-xr-x 1 root root  11125 Feb  3 07:16 geoipBotFltSettings.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 getaovconf
-rwsr-sr-x 1 root root  25848 Feb  3 07:16 gmssetup
-rwxr-xr-x 1 root root  31671 Feb  3 07:16 gmssetup1.html
-rwxr-xr-x 1 root root   1139 Feb  3 07:16 graph.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 groups
-rwxr-xr-x 1 root root   1933 Feb  3 07:16 groups1.html
-rwxr-xr-x 1 root root    244 Feb  3 07:16 groups2.html
-rwxr-xr-x 1 root root   5368 Feb  3 07:16 haSingleInfWarning
-rwxr-xr-x 1 root root   1661 Feb  3 07:16 haSingleInfWarning.html
-rwxr-xr-x 1 root root  17680 Feb  3 07:16 haconfig
-rwxr-xr-x 1 root root  16429 Feb  3 07:16 haconfig.html
-rwxr-xr-x 1 root root   5368 Feb  3 07:16 handleFailOverError
-rwxr-xr-x 1 root root  17656 Feb  3 07:16 handleWAFDetect
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 handleWAFRedirect
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 html5ClientLog
-rwxr-xr-x 1 root root  17656 Feb  3 07:16 http
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 https
-rwsr-sr-x 1 root root  13560 Feb  3 07:16 ifacesettings
-rwxr-xr-x 1 root root   9879 Feb  3 07:16 ifacesettings1.html
-rwxr-xr-x 1 root root  13568 Feb  3 07:16 importDevices
-rwxr-xr-x 1 root root   3485 Feb  3 07:16 importDevices.html
-rwxr-xr-x 1 root root  13564 Feb  3 07:16 importLocalUsers
-rwxr-xr-x 1 root root   2232 Feb  3 07:16 importLocalUsers.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 importcacert
-rwxr-xr-x 1 root root   1813 Feb  3 07:16 importcacert1.html
-rwsr-sr-x 1 root root  13560 Feb  3 07:16 importcert
-rwxr-xr-x 1 root root   2350 Feb  3 07:16 importcert1.html
-rwsr-sr-x 1 root root  22156 Feb  3 07:16 importconfig
-rwxr-xr-x 1 root root   2505 Feb  3 07:16 importconfig.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 importlogo
-rwxr-xr-x 1 root root   1892 Feb  3 07:16 importsamlcert1.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 installcert
-rwxr-xr-x 1 root root   3760 Feb  3 07:16 installcert1.html
-rwxr-xr-x 1 root root   3310 Feb  3 07:16 jarrewrite.sh
-rwxr-xr-x 1 root root   5368 Feb  3 07:16 javaBadVersion
-rwxr-xr-x 1 root root   1536 Feb  3 07:16 javaBadVersion.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 javaVersionTest
-rwxr-xr-x 1 root root   3457 Feb  3 07:16 javaVersionTest.html
-rwxr-xr-x 1 root root  40001 Feb  3 07:16 jdasm
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 layout
-rwxr-xr-x 1 root root   1432 Feb  3 07:16 layout1.html
-rwxr-xr-x 1 root root  17656 Feb  3 07:16 lbGroup
-rwxr-xr-x 1 root root  16048 Feb  3 07:16 lbGroup.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 lbMain
-rwxr-xr-x 1 root root   6283 Feb  3 07:16 lbMain.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 lbMember
-rwxr-xr-x 1 root root   4804 Feb  3 07:16 lbMember.html
-rwxr-xr-x 1 root root   5368 Feb  3 07:16 license
-rwxr-xr-x 1 root root   1323 Feb  3 07:16 license.html
-rwxr-xr-x 1 root root   8267 Feb  3 07:16 licenseOffline.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 licenseTop
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 logcategories
-rwxr-xr-x 1 root root   3846 Feb  3 07:16 logcategories1.html
-rwxr-xr-x 1 root root  18184 Feb  3 07:16 logconfig
-rwxr-xr-x 1 root root  10217 Feb  3 07:16 logconfig1.html
-rwxr-xr-x 1 root root   2694 Feb  3 07:16 logconfig2.html
-rwxr-xr-x 1 root root  10263 Feb  3 07:16 login1.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 loginChangePass
-rwxr-xr-x 1 root root    934 Feb  3 07:16 loginChangePass.html
-rwxr-xr-x 1 root root   3998 Feb  3 07:16 loginMobile.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 logindialogue
-rwxr-xr-x 1 root root   2707 Feb  3 07:16 logindialogue.html
-rwxr-xr-x 1 root root   5368 Feb  3 07:16 logo
-rwxr-xr-x 1 root root   5307 Feb  3 07:16 logo.html
-rwxr-xr-x 1 root root   2915 Feb  3 07:16 logout.html
-rwxr-xr-x 1 root root   1944 Feb  3 07:16 mainwindow1.html
-rwxr-xr-x 1 root root   1506 Feb  3 07:16 mainwindow2.html
-rwxr-xr-x 1 root root   1201 Feb  3 07:16 mainwindow3.html
-rwxr-xr-x 1 root root   9488 Feb  3 07:16 management
-rwxr-xr-x 1 root root   3233 Feb  3 07:16 management.html
-rwsr-sr-x 1 root root  17656 Feb  3 07:16 monitor
-rwxr-xr-x 1 root root   4526 Feb  3 07:16 monitor1.html
-rwxr-xr-x 1 root root   6766 Feb  3 22:08 ms_csrf.js
-rwxr-xr-x 1 root root   3388 Feb  3 07:16 nelaunch0.html
-rwxr-xr-x 1 root root    547 Feb  3 07:16 nelaunch1.html
-rwxr-xr-x 1 root root  26730 Feb  3 07:16 nelaunch2.html
-rwxr-xr-x 1 root root  38664 Feb  3 07:16 netextenderlog
-rwxr-xr-x 1 root root   1139 Feb  3 07:16 netextenderlog.html
-rwxr-xr-x 1 root root  24205 Feb  3 07:16 netextenderlogTop.html
-rwxr-xr-x 1 root root  21752 Feb  3 07:16 netextenderstats
-rwxr-xr-x 1 root root   6451 Feb  3 07:16 netextenderstats1.html
-rwsr-sr-x 1 root root  13560 Feb  3 07:16 networkinterface
-rwxr-xr-x 1 root root   2477 Feb  3 07:16 networkinterface1.html
-rwxr-xr-x 1 root root    687 Feb  3 07:16 networkinterface2.html
-rwxr-xr-x 1 root root  13564 Feb  3 07:16 networkresource
-rwxr-xr-x 1 root root   1413 Feb  3 07:16 networkresource1.html
-rwxr-xr-x 1 root root    262 Feb  3 07:16 networkresource2.html
-rwxr-xr-x 1 root root   2258 Feb  3 07:16 newLoginWindow.html
-rwxr-xr-x 1 root root   5368 Feb  3 07:16 newcsr
-rwxr-xr-x 1 root root   7639 Feb  3 07:16 newcsr.html
-rwxr-xr-x 1 root root   2250 Feb  3 07:16 noPluginSupport.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 nph-httprp
-rwxr-xr-x 1 root root   5368 Feb  3 07:16 nxpolicy.xml
-rwxr-xr-x 1 root root   5368 Feb  3 07:16 onlineHelp
-rwxr-xr-x 1 root root  38136 Feb  3 07:16 otp
-rwxr-xr-x 1 root root   1549 Feb  3 07:16 otp1.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 otpError
-rwxr-xr-x 1 root root    941 Feb  3 07:16 otpError1.html
-rwxr-xr-x 1 root root     47 Feb  3 07:16 otpError2.html
-rwxr-xr-x 1 root root  42232 Feb  3 07:16 otpLogin
-rwxr-xr-x 1 root root   1582 Feb  3 07:16 otpsms.html
-rwxr-xr-x 1 root root   5368 Feb  3 07:16 outlookView
-rwxr-xr-x 1 root root  33360 Feb  3 07:16 outlookView.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 policies
-rwxr-xr-x 1 root root   2926 Feb  3 07:16 policies1.html
-rwxr-xr-x 1 root root    411 Feb  3 07:16 policies2.html
-rwxr-xr-x 1 root root  30472 Feb  3 07:16 policyMatchedLog
-rwxr-xr-x 1 root root  14230 Feb  3 07:16 policyMatchedLog1.html
-rwxr-xr-x 1 root root    587 Feb  3 07:16 policyMatchedLog2.html
-rwxr-xr-x 1 root root  25848 Feb  3 07:16 portal
-rwxr-xr-x 1 root root  10190 Feb  3 07:16 portal1.html
-rwxr-xr-x 1 root root   1644 Feb  3 07:16 portalMobile.html
-rwsr-sr-x 1 root root  25848 Feb  3 07:16 portalWizard
-rwxr-xr-x 1 root root  23330 Feb  3 07:16 portalWizard.html
-rwxr-xr-x 1 root root  13576 Feb  3 07:16 portallist
-rwxr-xr-x 1 root root   6152 Feb  3 07:16 portallist1.html
-rwxr-xr-x 1 root root  19279 Feb  3 07:16 portalv2.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 portalvaiprules
-rwxr-xr-x 1 root root   6772 Feb  3 07:16 portalvaiprules.html
-rwxr-xr-x 1 root root  13360 Feb  3 07:16 postconnectionscripts.fragment.html
-rwxr-xr-x 1 root root   1074 Feb  3 06:55 printenv.vbs
-rwxr-xr-x 1 root root   1133 Feb  3 06:55 printenv.wsf
-rwxr-xr-x 1 root root   2738 Feb  3 07:16 protectedmode.html
-rwxr-xr-x 1 root root   1186 Feb  3 07:16 radiusChallenge.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 radiusChallengeLogin
-rwxr-xr-x 1 root root   8131 Feb  3 07:16 rdpLogin.html
-rwxr-xr-x 1 root root   8624 Feb  3 07:16 rdp_client.html
-rwxr-xr-x 1 root root   1133 Feb  3 07:16 reboot.html
-rwxr-xr-x 1 root root  42232 Feb  3 07:16 registerDevice
-rwxr-xr-x 1 root root   1214 Feb  3 07:16 registerDevice.html
-rwsr-sr-x 1 root root  34824 Feb  3 07:16 restart
-rwxr-xr-x 1 root root   1867 Feb  3 07:16 restart.html
-rwxr-xr-x 1 root root  17656 Feb  3 07:16 rsaLogin
-rwxr-xr-x 1 root root   1150 Feb  3 07:16 rsaNewPIN.html
-rwxr-xr-x 1 root root    977 Feb  3 07:16 rsaNextCode.html
-rwxr-xr-x 1 root root   1171 Feb  3 07:16 rsaSysPin.html
-rwsr-sr-x 1 root root  21808 Feb  3 07:16 serviceSettings
-rwxr-xr-x 1 root root  33398 Feb  3 07:16 serviceSettings.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 sessionStatus
-rwxr-xr-x 1 root root   5368 Feb  3 07:16 setCommonName
-rwsr-sr-x 1 root root  63592 Feb  3 07:16 settings
-rwxr-xr-x 1 root root  21388 Feb  3 07:16 settings1.html
-rwxr-xr-x 1 root root   8850 Feb  3 07:16 settings2.html
-rwxr-xr-x 1 root root   2023 Feb  3 07:16 settings3.html
-rwxr-xr-x 1 root root  38136 Feb  3 07:16 showDeviceProfile
-rwxr-xr-x 1 root root  82872 Feb  3 07:16 showDeviceProfile1.html
-rwxr-xr-x 1 root root  32147 Feb  3 07:16 showDeviceProfile2.html
-rwxr-xr-x 1 root root    682 Feb  3 07:16 showDeviceProfile3.html
-rwxr-xr-x 1 root root  25848 Feb  3 07:16 showPolicy
-rwxr-xr-x 1 root root   6131 Feb  3 07:16 showPolicy1.html
-rwxr-xr-x 1 root root   1394 Feb  3 07:16 siteBlocked.html
-rwsr-sr-x 1 root root  46328 Feb  3 07:16 sitecustomization
-rwxr-xr-x 1 root root  87505 Feb  3 07:16 sitecustomization1.html
-rwxr-xr-x 1 root root  84396 Feb  3 07:16 sitecustomization2.html
-rwxr-xr-x 1 root root   9516 Feb  3 07:16 smsTemplates
-rwxr-xr-x 1 root root   3592 Feb  3 07:16 smsTemplates.html
-rwxr-xr-x 1 root root  83252 Feb  3 07:16 sonicfiles
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 soniclauncher
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 ssh
-rwxr-xr-x 1 root root   1717 Feb  3 07:16 sshHtml.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 sshv2
-rwsr-sr-x 1 root root  21752 Feb  3 07:16 sslcert
-rwxr-xr-x 1 root root   4737 Feb  3 07:16 sslcert1.html
-rwxr-xr-x 1 root root   1083 Feb  3 07:16 sslcert2.html
-rwxr-xr-x 1 root root   4033 Feb  3 07:16 sslcert3.html
-rwxr-xr-x 1 root root  62712 Feb  3 07:16 sslvpnclient
-rwxr-xr-x 1 root root    112 Feb  3 07:16 sslvpnclient1.html
-rwxr-xr-x 1 root root   1259 Feb  3 07:16 sslvpnclient2.html
-rwxr-xr-x 1 root root   2034 Feb  3 07:16 sslvpnclient3.html
-rwxr-xr-x 1 root root    393 Feb  3 07:16 sslvpnclient4.html
-rwxr-xr-x 1 root root  13612 Feb  3 07:16 sslvpnclientforaov
-rwxr-xr-x 1 root root   2491 Feb  3 07:16 sslvpnclientmac1.html
-rwxr-xr-x 1 root root    558 Feb  3 07:16 sslvpnpassage.html
-rwxr-xr-x 1 root root   5368 Feb  3 07:16 staticContent
-rwxr-xr-x 1 root root  17656 Feb  3 07:16 staticroutes
-rwxr-xr-x 1 root root   3221 Feb  3 07:16 staticroutes1.html
-rwxr-xr-x 1 root root   1057 Feb  3 07:16 staticroutes2.html
-rwxr-xr-x 1 root root    411 Feb  3 07:16 staticroutes3.html
-rwsr-sr-x 1 root root  25848 Feb  3 07:16 status
-rwsr-sr-x 1 root root  18184 Feb  3 07:16 status.xml
-rwxr-xr-x 1 root root   3706 Feb  3 07:16 status1.html
-rwxr-xr-x 1 root root  16415 Feb  3 07:16 status2.html
-rwxr-xr-x 1 root root   5368 Feb  3 07:16 statusBar
-rwxr-xr-x 1 root root    411 Feb  3 07:16 statusBar.html
-rwxr-xr-x 1 root root  37688 Feb  3 07:16 sw_httprp.js
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 telnet
-rwxr-xr-x 1 root root   1530 Feb  3 07:16 telnetHtml.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 totp
-rwxr-xr-x 1 root root   2937 Feb  3 07:16 totp1.html
-rwxr-xr-x 1 root root  42236 Feb  3 07:16 tscbookmark
-rwxr-xr-x 1 root root  17656 Feb  3 07:16 ubaGroup
-rwxr-xr-x 1 root root   9253 Feb  3 07:16 ubaGroup.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 ubaMain
-rwxr-xr-x 1 root root   3324 Feb  3 07:16 ubaMain.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 ubaMember
-rwxr-xr-x 1 root root   6263 Feb  3 07:16 ubaMember.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 ubaNavigationPage
-rwxr-xr-x 1 root root    864 Feb  3 07:16 ubaNavigationPageHeader.html
-rwsr-sr-x 1 root root  34824 Feb  3 07:16 upgradefirmware
-rwxr-xr-x 1 root root   3034 Feb  3 07:16 upgradefirmware.html
-rwsr-sr-x 1 root root   5368 Feb  3 07:16 upgraderom
-rwxr-xr-x 1 root root   2296 Feb  3 07:16 upgraderom.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 upload
-rwxr-xr-x 1 root root 107768 Feb  3 07:16 userLogin
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 userLogout
-rwxr-xr-x 1 root root  17656 Feb  3 07:16 userOptions
-rwxr-xr-x 1 root root  10386 Feb  3 07:16 userOptions1.html
-rwxr-xr-x 1 root root  21752 Feb  3 07:16 users
-rwxr-xr-x 1 root root   3358 Feb  3 07:16 users1.html
-rwxr-xr-x 1 root root    754 Feb  3 07:16 users2.html
-rwsr-sr-x 1 root root  17656 Feb  3 07:16 viewcacert
-rwxr-xr-x 1 root root   5617 Feb  3 07:16 viewcacert1.html
-rwsr-sr-x 1 root root  13560 Feb  3 07:16 viewcert
-rwxr-xr-x 1 root root   6578 Feb  3 07:16 viewcert1.html
-rwxr-xr-x 1 root root     24 Feb  3 07:16 viewcert2.html
-rwxr-xr-x 1 root root  18184 Feb  3 07:16 viewpoint
-rwxr-xr-x 1 root root   3579 Feb  3 07:16 viewpoint1.html
-rwxr-xr-x 1 root root   3079 Feb  3 07:16 viewpoint2.html
-rwxr-xr-x 1 root root   2071 Feb  3 07:16 viewpoint3.html
-rwxr-xr-x 1 root root   2449 Feb  3 07:16 viewsamlcert1.html
-rwxr-xr-x 1 root root   3295 Feb  3 07:16 virtualAssistPlugIn.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 vnc
-rwxr-xr-x 1 root root   5250 Feb  3 07:16 vnc.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 wafLicense
-rwxr-xr-x 1 root root   2950 Feb  3 07:16 wafLicense.html
-rwxr-xr-x 1 root root  38276 Feb  3 07:16 wafMonitoring
-rwxr-xr-x 1 root root  56614 Feb  3 07:16 wafMonitoring.html
-rwxr-xr-x 1 root root  46736 Feb  3 07:16 wafPDFReport
-rwxr-xr-x 1 root root   9421 Feb  3 07:16 wafPDFReport.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 wafRule
-rwxr-xr-x 1 root root  45075 Feb  3 07:16 wafRule.html
-rwxr-xr-x 1 root root  17656 Feb  3 07:16 wafRuleChain
-rwxr-xr-x 1 root root  12609 Feb  3 07:16 wafRuleChain.html
-rwxr-xr-x 1 root root  38140 Feb  3 07:16 wafRuleChainList
-rwxr-xr-x 1 root root  41502 Feb  3 07:16 wafRuleChainList.html
-rwxr-xr-x 1 root root  17656 Feb  3 07:16 wafSignatures
-rwxr-xr-x 1 root root  15467 Feb  3 07:16 wafSignatures.html
-rwxr-xr-x 1 root root  13560 Feb  3 07:16 wafStatus
-rwxr-xr-x 1 root root   4244 Feb  3 07:16 wafStatus.html
-rwxr-xr-x 1 root root  38136 Feb  3 07:16 wafSummary
-rwxr-xr-x 1 root root  79921 Feb  3 07:16 wafSummary.html
-rwxr-xr-x 1 root root   9464 Feb  3 07:16 wafURLProfile
-rwxr-xr-x 1 root root   8404 Feb  3 07:16 wafURLProfile.html
-rwxr-xr-x 1 root root  30480 Feb  3 07:16 welcome
root@sslvpn:/usr/src/EasyAccess/www/cgi-bin #

Web path /spog also contains binaries used by the web interface. Any binaries using the SQLite backend are potentially vulnerable to SQL injection. Rapid7 researchers noted that some endpoints were protected against trivial SQL injection, though the surface area for attack is still considerable.

Furthermore, Rapid7 researchers noticed a Python-based authentication API reverse-proxied from web path /__api__ to the service listening on 127.0.0.1:12345.

root@sslvpn:/usr/src/EasyAccess/www/python/authentication_api # ls -l
total 27
drwxr-xr-x 2 root root 1024 Feb  3 22:08 __pycache__
drwxr-xr-x 6 root root 1024 Feb  3 22:08 authentication
-r--r--r-- 1 root root 1092 Feb  3 07:16 authentication_api.py
-r--r--r-- 1 root root 1678 Feb  3 07:16 c_macros.py
drwxr-xr-x 4 root root 3072 Feb  3 22:08 management
-r--r--r-- 1 root root  461 Feb  3 07:16 management_api.py
drwxr-xr-x 4 root root 1024 Feb  3 22:08 report
-r--r--r-- 1 root root  457 Feb  3 07:16 report_api.py
-r--r--r-- 1 root root 2621 Feb  3 07:16 restful_api.py
drwxr-xr-x 3 root root 1024 Feb  3 07:16 threat
-r--r--r-- 1 root root  454 Feb  3 07:16 threat_api.py
root@sslvpn:/usr/src/EasyAccess/www/python/authentication_api #
root@sslvpn:/usr/src/EasyAccess/www/python/authentication_api # lsof -nPi :12345
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
python3.6 1364 root    8u  IPv4    869      0t0  TCP 127.0.0.1:12345 (LISTEN)
root@sslvpn:/usr/src/EasyAccess/www/python/authentication_api #

This service could also be susceptible to injection attacks through the web interface.

Guidance

SonicWall SMA 100 series 10.x customers should upgrade their firmware to version 10.2.0.5-29sv. Though mitigations are available in the form of enabling MFA and/or the WAF, patching should remain the utmost priority for organizations affected by CVE-2021-20016.

References