cbcvebase.
CVE-2021-20040
published 2021-12-08

CVE-2021-20040: A relative path traversal vulnerability in the SMA100 upload funtion allows a remote unauthenticated attacker to upload crafted web pages or files as a…

PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
25.78%
97.7th percentile
A relative path traversal vulnerability in the SMA100 upload funtion allows a remote unauthenticated attacker to upload crafted web pages or files as a 'nobody' user. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.

Affected

13 ranges
VendorProductVersion rangeFixed in
sonicwallsma_200_firmware
sonicwallsma_200_firmware
sonicwallsma_210_firmware
sonicwallsma_210_firmware
sonicwallsma_400_firmware
sonicwallsma_400_firmware
sonicwallsma_410_firmware
sonicwallsma_410_firmware
sonicwallsma_500v_firmware
sonicwallsma_500v_firmware
sonicwallsonicwall_sma100
sonicwallsonicwall_sma100
sonicwallsonicwall_sma100

Detection & IOCsextracted from sources · hover to see the quote

snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA 100 Series - Unauthenticated File Upload Path Traversal (CVE-2021-20040)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"swcctn="; fast_pattern; content:"|2e 2f|"; within:3; reference:url,research.nccgroup.com/2021/12/09/technical-advisory-sonicwall-sma-100-series-unauthenticated-file-upload-path-traversal-cve-2021-20040/; reference:cve,2021-20040; classtype:attempted-admin; sid:2034896; rev:2; metadata:created_at 2022_01_12, cve CVE_2021_20040, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
bytes
|2e 2f|
  • Exploit traffic is identified by an HTTP POST request to a URI containing the cookie/parameter token 'swcctn=' immediately followed within 3 bytes by the byte sequence |2e 2f| (URL-encoded './'). This pattern indicates a relative path traversal attempt in the SMA100 upload function.
  • The attack is unauthenticated and targets the SMA100 upload function, allowing crafted web pages or files to be uploaded as the 'nobody' user. Monitor for unexpected file creation by the 'nobody' user on SMA 200, 210, 400, 410, and 500v appliances.
  • The Snort/Suricata rule targets inbound HTTP POST traffic to internal/HTTP servers (perimeter and internal deployment). High-confidence detection with sid:2034896.
  • ·The Snort rule targets [$HOME_NET,$HTTP_SERVERS] as the destination — ensure these variables are correctly scoped to include SMA 100 series appliances (SMA 200, 210, 400, 410, 500v) in your sensor configuration for accurate coverage.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.