cbcvebase.
CVE-2021-20042
published 2021-12-08

CVE-2021-20042: An unauthenticated remote attacker can use SMA 100 as an unintended proxy or intermediary undetectable proxy to bypass firewall rules. This vulnerability…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.66%
83.8th percentile
An unauthenticated remote attacker can use SMA 100 as an unintended proxy or intermediary undetectable proxy to bypass firewall rules. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.

Affected

19 ranges
VendorProductVersion rangeFixed in
sonicwallsma_200_firmware
sonicwallsma_200_firmware
sonicwallsma_200_firmware
sonicwallsma_210_firmware
sonicwallsma_210_firmware
sonicwallsma_210_firmware
sonicwallsma_400_firmware
sonicwallsma_400_firmware
sonicwallsma_400_firmware
sonicwallsma_410_firmware
sonicwallsma_410_firmware
sonicwallsma_410_firmware
sonicwallsma_500v_firmware
sonicwallsma_500v_firmware
sonicwallsma_500v_firmware
sonicwallsonicwall_sma100
sonicwallsonicwall_sma100
sonicwallsonicwall_sma100
sonicwallsonicwall_sma100

Detection & IOCsextracted from sources · hover to see the quote

url/fileshare/sonicfiles/sonicfiles?
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SMA Unauthenticated sonicfiles Confused Deputy (CVE-2021-20042)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/fileshare/sonicfiles/sonicfiles|3f|"; fast_pattern; content:"RacNumber|3d|25"; content:"Arg1|3d|"; pcre:"/^[a-z]+\x3a\x2f{2}/R"; reference:url,www.rapid7.com/blog/post/2022/01/11/cve-2021-20038-42-sonicwall-sma-100-multiple-vulnerabilities-fixed-2/; reference:cve,2021-20042; classtype:web-application-attack; sid:2061554; rev:1;)
  • Look for unauthenticated HTTP GET requests to the '/fileshare/sonicfiles/sonicfiles?' URI path on SonicWall SMA 100-series appliances (SMA 200, 210, 400, 410, 500v).
  • The exploit request contains the query parameters 'RacNumber=25' and 'Arg1=' followed by a URL-scheme string (e.g., http:// or https://) — the PCRE '/^[a-z]+\x3a\x2f{2}/R' matches a protocol scheme in Arg1, indicating the attacker is supplying an external URL to proxy through the device.
  • The attack is classified as a 'Confused Deputy' / unintended proxy abuse — an unauthenticated remote attacker uses the SMA 100 as an intermediary to bypass firewall rules. Monitor for outbound connections originating from the SMA appliance to unexpected external hosts triggered by inbound requests to the sonicfiles endpoint.
  • Deploy the Snort/Suricata rule with SID 2061554 at the perimeter and on SSL-decrypting inspection points (TLSDecrypt/SSLDecrypt deployments) to catch this attack over HTTPS.
  • ·Affected appliances are limited to SMA 200, 210, 400, 410, and 500v — scope detection rules accordingly and do not apply broadly to other SonicWall product lines.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.