CVE-2021-20034
published 2021-09-27CVE-2021-20034: An improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary file…
PriorityP183critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EXPLOIT
EPSS
80.70%
99.6th percentile
An improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | sma100 | — | — |
| sonicwall | sma100 | — | — |
| sonicwall | sma100 | — | — |
| sonicwall | sma_200_firmware | <= 9.0.0.10-28sv | — |
| sonicwall | sma_200_firmware | 10.2.0.0 – 10.2.0.7-34sv | — |
| sonicwall | sma_200_firmware | 10.2.1.0 – 10.2.1.0-17sv | — |
| sonicwall | sma_210_firmware | <= 9.0.0.10-28sv | — |
| sonicwall | sma_210_firmware | 10.2.0.0 – 10.2.0.7-34sv | — |
| sonicwall | sma_210_firmware | 10.2.1.0 – 10.2.1.0-17sv | — |
| sonicwall | sma_400_firmware | <= 9.0.0.10-28sv | — |
| sonicwall | sma_400_firmware | 10.2.0.0 – 10.2.0.7-34sv | — |
| sonicwall | sma_400_firmware | 10.2.1.0 – 10.2.1.0-17sv | — |
| sonicwall | sma_410_firmware | <= 9.0.0.10-28sv | — |
| sonicwall | sma_410_firmware | 10.2.0.0 – 10.2.0.7-34sv | — |
| sonicwall | sma_410_firmware | 10.2.1.0 – 10.2.1.0-17sv | — |
| sonicwall | sma_500v | <= 9.0.0.10-28sv | — |
| sonicwall | sma_500v | 10.2.0.0 – 10.2.0.7-34sv | — |
| sonicwall | sma_500v | 10.2.1.0 – 10.2.1.0-17sv | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SMA Unauthenticated handleWAFRedirect CGI Arbitrary File Deletion (CVE-2021-20034)"; flow:established,to_server; http.uri; content:"/cgi-bin/handleWAFRedirect|3f|"; fast_pattern; content:"hdl|3d|"; pcre:"/^[^&]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,attackerkb.com/topics/23t9VCbGzt/cve-2021-20034/rapid7-analysis; reference:cve,2021-20034; classtype:web-application-attack; sid:2061721; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_17, cve CVE_2021_20034, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_17, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Exploit targets the `handleWAFRedirect` CGI endpoint with a `hdl` parameter containing path traversal sequences (dot-dot sequences, URL-encoded variants) to delete arbitrary files. Detect via URI pattern matching on `/cgi-bin/handleWAFRedirect?` followed by `hdl=` with traversal sequences.
- →The exploit deletes the persistent database file (`persist.db`) to force a factory reset on reboot. Monitor for unauthenticated DELETE/GET requests targeting `/flash/etc/EasyAccess/var/conf/persist.db` via path traversal. ↗
- →Shodan dork can be used to identify exposed SonicWall SMA devices on the internet that may be targeted: search for title 'Virtual Office' with 'Server: SonicWall'. ↗
- →The vulnerability is exploitable without authentication (unauthenticated remote attacker). Prioritize detection on perimeter/SSL-decrypting sensors for inbound HTTP requests to SMA 100 series devices. ↗
- ·The Emerging Threats Snort rule (sid:2061721) requires TLS decryption to be effective, as the exploit traffic is HTTPS. Deploy on sensors with TLS inspection enabled (metadata tag: tls_state TLSDecrypt / deployment SSLDecrypt).
- ·Affected versions are SMA 100 Series running 9.0.0.10-28sv, 10.2.0.7-34sv, and 10.2.1.0-17sv. Talos Snort SIDs 58224–58226 cover this CVE and should be enabled on relevant rulesets. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
vendor_oracle7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vfqg-fwg4-f3vx: An improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrar
ghsa_unreviewed·2022-05-24
CVE-2021-20034 [CRITICAL] CWE-22 GHSA-vfqg-fwg4-f3vx: An improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrar
An improper access control vulnerability in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings.
Oracle
Oracle Oracle Communications Risk Matrix: NPA Agent (Flexnet) — CVE-2018-20034
vendor_oracle·2021-10-15·CVSS 7.5
CVE-2018-20034 [HIGH] Oracle Oracle Communications Risk Matrix: NPA Agent (Flexnet) — CVE-2018-20034
Oracle Oracle Communications Risk Matrix: NPA Agent (Flexnet) vulnerability
CVE: CVE-2018-20034
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuoct2021 (OCT 2021)
Suricata
ET WEB_SERVER SonicWall SMA Unauthenticated handleWAFRedirect CGI Arbitrary File Deletion (CVE-2021-20034)
suricata·2025-04-17·CVSS 9.1
CVE-2021-20034 [CRITICAL] ET WEB_SERVER SonicWall SMA Unauthenticated handleWAFRedirect CGI Arbitrary File Deletion (CVE-2021-20034)
ET WEB_SERVER SonicWall SMA Unauthenticated handleWAFRedirect CGI Arbitrary File Deletion (CVE-2021-20034)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SMA Unauthenticated handleWAFRedirect CGI Arbitrary File Deletion (CVE-2021-20034)"; flow:established,to_server; http.uri; content:"/cgi-bin/handleWAFRedirect|3f|"; fast_pattern; content:"hdl|3d|"; pcre:"/^[^&]*?(?:(?:\x2e|%2[Ee]){1,2}(?:\x2f|\x5c|%5[Cc]|%2[Ff]){1,}){2,}/R"; reference:url,attackerkb.com/topics/23t9VCbGzt/cve-2021-20034/rapid7-analysis; reference:cve,2021-20034; classtype:web-application-attack; sid:2061721; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_17, cve CVE_2021_20034, deployment Perimeter, deployment Internal, deployment SSLDecr
Talos
Threat Source newsletter (Oct. 7, 2021)
blogs_talos·2021-10-07
Threat Source newsletter (Oct. 7, 2021)
Good afternoon, Talos readers.
Every day, we see mountains and mountains of data. So how do we comb through all of it to find out what's important to customers and users? Well, there are many ways, but we wanted to give readers and researchers a look into at least one option using Apache Spark.
Our new walkthrough will show we use machine learning, software and good 'ole fashioned intuition to work through a huge dataset.
October is the start of National Cybersecurity Awareness Month. To celebrate, we'll be releasing special episodes of the Talos Takes podcast each week centered around a specific theme. First up, we have Chris Marshall from Talos discussing how to avoid burnout. Cybersecurity is a stressful industry even when we're not in a global pandemic. So how have we adapted to our
Greynoiseio
Malicious Tag Roundup (October 2021)
blogs_greynoiseio·CVSS 10.0
[CRITICAL] Malicious Tag Roundup (October 2021)
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://packetstormsecurity.com/files/164564/SonicWall-SMA-10.2.1.0-17sv-Password-Reset.htmlhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0021http://packetstormsecurity.com/files/164564/SonicWall-SMA-10.2.1.0-17sv-Password-Reset.htmlhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0021
2021-09-27
Published