CVE-2021-20040
published 2021-12-08CVE-2021-20040: A relative path traversal vulnerability in the SMA100 upload funtion allows a remote unauthenticated attacker to upload crafted web pages or files as a…
PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
25.78%
97.7th percentile
A relative path traversal vulnerability in the SMA100 upload funtion allows a remote unauthenticated attacker to upload crafted web pages or files as a 'nobody' user. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | sma_200_firmware | — | — |
| sonicwall | sma_200_firmware | — | — |
| sonicwall | sma_210_firmware | — | — |
| sonicwall | sma_210_firmware | — | — |
| sonicwall | sma_400_firmware | — | — |
| sonicwall | sma_400_firmware | — | — |
| sonicwall | sma_410_firmware | — | — |
| sonicwall | sma_410_firmware | — | — |
| sonicwall | sma_500v_firmware | — | — |
| sonicwall | sma_500v_firmware | — | — |
| sonicwall | sonicwall_sma100 | — | — |
| sonicwall | sonicwall_sma100 | — | — |
| sonicwall | sonicwall_sma100 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA 100 Series - Unauthenticated File Upload Path Traversal (CVE-2021-20040)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"swcctn="; fast_pattern; content:"|2e 2f|"; within:3; reference:url,research.nccgroup.com/2021/12/09/technical-advisory-sonicwall-sma-100-series-unauthenticated-file-upload-path-traversal-cve-2021-20040/; reference:cve,2021-20040; classtype:attempted-admin; sid:2034896; rev:2; metadata:created_at 2022_01_12, cve CVE_2021_20040, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08, mitre_tactic_id TA0007, mitre_tactic_name Discovery, mitre_technique_id T1083, mitre_technique_name File_And_Directory_Discovery; target:dest_ip;)
bytes
|2e 2f|
- →Exploit traffic is identified by an HTTP POST request to a URI containing the cookie/parameter token 'swcctn=' immediately followed within 3 bytes by the byte sequence |2e 2f| (URL-encoded './'). This pattern indicates a relative path traversal attempt in the SMA100 upload function. ↗
- →The attack is unauthenticated and targets the SMA100 upload function, allowing crafted web pages or files to be uploaded as the 'nobody' user. Monitor for unexpected file creation by the 'nobody' user on SMA 200, 210, 400, 410, and 500v appliances. ↗
- →The Snort/Suricata rule targets inbound HTTP POST traffic to internal/HTTP servers (perimeter and internal deployment). High-confidence detection with sid:2034896. ↗
- ·The Snort rule targets [$HOME_NET,$HTTP_SERVERS] as the destination — ensure these variables are correctly scoped to include SMA 100 series appliances (SMA 200, 210, 400, 410, 500v) in your sensor configuration for accurate coverage.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET EXPLOIT SonicWall SMA 100 Series - Unauthenticated File Upload Path Traversal (CVE-2021-20040)
suricata·2022-01-12·CVSS 7.5
CVE-2021-20040 [HIGH] ET EXPLOIT SonicWall SMA 100 Series - Unauthenticated File Upload Path Traversal (CVE-2021-20040)
ET EXPLOIT SonicWall SMA 100 Series - Unauthenticated File Upload Path Traversal (CVE-2021-20040)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA 100 Series - Unauthenticated File Upload Path Traversal (CVE-2021-20040)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"swcctn="; fast_pattern; content:"|2e 2f|"; within:3; reference:url,research.nccgroup.com/2021/12/09/technical-advisory-sonicwall-sma-100-series-unauthenticated-file-upload-path-traversal-cve-2021-20040/; reference:cve,2021-20040; classtype:attempted-admin; sid:2034896; rev:2; metadata:created_at 2022_01_12, cve CVE_2021_20040, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus,
Suricata
ET EXPLOIT SonicWall SMA 100 Series - Possible Heap-Based Overflow Activity (CVE-2021-20043)
suricata·2022-01-12·CVSS 8.8
CVE-2021-20043 [HIGH] ET EXPLOIT SonicWall SMA 100 Series - Possible Heap-Based Overflow Activity (CVE-2021-20043)
ET EXPLOIT SonicWall SMA 100 Series - Possible Heap-Based Overflow Activity (CVE-2021-20043)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA 100 Series - Possible Heap-Based Overflow Activity (CVE-2021-20043)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"swcctn="; fast_pattern; http.request_body; content:"bmName="; startswith; pcre:"/^[^&]{100,}/R"; threshold:type threshold, track by_src, count 3, seconds 60; reference:url,research.nccgroup.com/2021/12/09/technical-advisory-sonicwall-sma-100-series-unauthenticated-file-upload-path-traversal-cve-2021-20040/; reference:cve,2021-20043; classtype:attempted-admin; sid:2034897; rev:1; metadata:created_at 2022_01_12, cve CVE_2021_20043, confidence Medium, signature_severity
No public exploits indexed.
2021-12-08
Published