CVE-2021-20043
published 2021-12-08CVE-2021-20043: A Heap-based buffer overflow vulnerability in SonicWall SMA100 getBookmarks method allows a remote authenticated attacker to potentially execute code as the…
PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
23.26%
97.5th percentile
A Heap-based buffer overflow vulnerability in SonicWall SMA100 getBookmarks method allows a remote authenticated attacker to potentially execute code as the nobody user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | sma | — | — |
| sonicwall | sma_200_firmware | — | — |
| sonicwall | sma_200_firmware | — | — |
| sonicwall | sma_210_firmware | — | — |
| sonicwall | sma_210_firmware | — | — |
| sonicwall | sma_400_firmware | — | — |
| sonicwall | sma_400_firmware | — | — |
| sonicwall | sma_410_firmware | — | — |
| sonicwall | sma_410_firmware | — | — |
| sonicwall | sma_500v_firmware | — | — |
| sonicwall | sma_500v_firmware | — | — |
| sonicwall | sonicwall_sma100 | — | — |
| sonicwall | sonicwall_sma100 | — | — |
| sonicwall | sonicwall_sma100 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/cgi-bin/sonicfiles
path/cgi-bin/editBookmark
commandRacNumber=35
cookieswcctn=
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SMA Heap-Based Buffer Overflow (CVE-2021-20043)"; flow:established,to_server; flowbits:isset,ET.SW.Bookmark; http.method; content:"POST"; http.uri; content:"/cgi-bin/sonicfiles|3f|"; fast_pattern; content:"RacNumber|3d|35"; reference:url,www.nccgroup.com/us/research-blog/technical-advisory-sonicwall-sma-100-series-heap-based-buffer-overflow-cve-2021-20043/; reference:cve,2021-20043; classtype:web-application-attack; sid:2061729; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_18, cve CVE_2021_20043, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http any any -> $HOME_NET any (msg:"ET INFO SonicWall SMA Multiple CIFS Server Bookmark Creation"; flow:established,to_server; flowbits:set,ET.SW.Bookmark; http.method; content:"POST"; http.uri; content:"/cgi-bin/editBookmark|3f|"; fast_pattern; http.request_body; content:"bmName|3d|"; pcre:"/^[^\x26]{64,}/R"; content:"service|3d|CIFS"; threshold:type threshold, seconds 30, count 5, track by_src; reference:url,www.nccgroup.com/us/research-blog/technical-advisory-sonicwall-sma-100-series-heap-based-buffer-overflow-cve-2021-20043/; classtype:misc-activity; sid:2061728; rev:2; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_18, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Informational, updated_at 2026_01_20; target:dest_ip;)snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA 100 Series - Possible Heap-Based Overflow Activity (CVE-2021-20043)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"swcctn="; fast_pattern; http.request_body; content:"bmName="; startswith; pcre:"/^[^&]{100,}/R"; threshold:type threshold, track by_src, count 3, seconds 60; reference:url,research.nccgroup.com/2021/12/09/technical-advisory-sonicwall-sma-100-series-unauthenticated-file-upload-path-traversal-cve-2021-20040/; reference:cve,2021-20043; classtype:attempted-admin; sid:2034897; rev:1; metadata:created_at 2022_01_12, cve CVE_2021_20043, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_01_12;)- →Exploit chain requires two stages: first, creation of multiple CIFS server bookmarks via POST to /cgi-bin/editBookmark with a bmName parameter value ≥64 bytes and service=CIFS (5+ requests in 30s sets flowbit ET.SW.Bookmark); second, the overflow is triggered via POST to /cgi-bin/sonicfiles with RacNumber=35.
- →Stage 1 detection: look for repeated POST requests to /cgi-bin/editBookmark with bmName body parameter value exceeding 64 characters and service=CIFS, threshold 5 requests in 30 seconds from the same source.
- →Alternative exploit detection: POST requests containing the swcctn= URI parameter and a bmName= body value exceeding 100 characters, threshold 3 requests in 60 seconds from the same source.
- →TLS decryption (SSLDecrypt/TLSDecrypt) is required for all three Snort rules to fire, as the SMA100 appliance communicates over HTTPS.
- →The vulnerability is exploitable by a remote authenticated attacker; monitor for authenticated sessions performing anomalous bookmark creation activity preceding getBookmarks calls.
- ·All three Snort rules require TLS inspection (SSLDecrypt/TLSDecrypt) to be enabled on the monitoring sensor; without it, the HTTP body and URI parameters will not be visible and rules will not trigger.
- ·The primary exploit rule (sid:2061729) depends on the flowbit ET.SW.Bookmark being set by the prerequisite bookmark-creation rule (sid:2061728); both rules must be active and in the correct order for the chained detection to work.
- ·The alternative exploit rule (sid:2034897) carries only Medium confidence per its metadata, meaning it may produce false positives in environments with legitimate high-volume bookmark operations.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
SonicWall
CVE-2021-20043: A Heap-based buffer overflow vulnerability in SonicWall SMA100 getBookmarks method allows a remote authenticated attacker to potentially execute code
vendor_sonicwall·2021-12-08·CVSS 8.8
CVE-2021-20043 [HIGH] CWE-122 CVE-2021-20043: A Heap-based buffer overflow vulnerability in SonicWall SMA100 getBookmarks method allows a remote authenticated attacker to potentially execute code
CVE-2021-20043: A Heap-based buffer overflow vulnerability in SonicWall SMA100 getBookmarks method allows a remote authenticated attacker to potentially execute code as the nobody user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.
GHSA
GHSA-857m-46rq-rj5c: A Heap-based buffer overflow vulnerability in SonicWall SMA100 getBookmarks method allows a remote authenticated attacker to potentially execute code
ghsa_unreviewed·2021-12-09
CVE-2021-20043 [HIGH] CWE-787 GHSA-857m-46rq-rj5c: A Heap-based buffer overflow vulnerability in SonicWall SMA100 getBookmarks method allows a remote authenticated attacker to potentially execute code
A Heap-based buffer overflow vulnerability in SonicWall SMA100 getBookmarks method allows a remote authenticated attacker to potentially execute code as the nobody user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.
Suricata
ET WEB_SERVER SonicWall SMA Heap-Based Buffer Overflow (CVE-2021-20043)
suricata·2025-04-18·CVSS 8.8
CVE-2021-20043 [HIGH] ET WEB_SERVER SonicWall SMA Heap-Based Buffer Overflow (CVE-2021-20043)
ET WEB_SERVER SonicWall SMA Heap-Based Buffer Overflow (CVE-2021-20043)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SMA Heap-Based Buffer Overflow (CVE-2021-20043)"; flow:established,to_server; flowbits:isset,ET.SW.Bookmark; http.method; content:"POST"; http.uri; content:"/cgi-bin/sonicfiles|3f|"; fast_pattern; content:"RacNumber|3d|35"; reference:url,www.nccgroup.com/us/research-blog/technical-advisory-sonicwall-sma-100-series-heap-based-buffer-overflow-cve-2021-20043/; reference:cve,2021-20043; classtype:web-application-attack; sid:2061729; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_18, cve CVE_2021_20043, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signatur
Suricata
ET INFO SonicWall SMA Multiple CIFS Server Bookmark Creation
suricata·2025-04-18
CVE-2021-20043 ET INFO SonicWall SMA Multiple CIFS Server Bookmark Creation
ET INFO SonicWall SMA Multiple CIFS Server Bookmark Creation
Rule: alert http any any -> $HOME_NET any (msg:"ET INFO SonicWall SMA Multiple CIFS Server Bookmark Creation"; flow:established,to_server; flowbits:set,ET.SW.Bookmark; http.method; content:"POST"; http.uri; content:"/cgi-bin/editBookmark|3f|"; fast_pattern; http.request_body; content:"bmName|3d|"; pcre:"/^[^\x26]{64,}/R"; content:"service|3d|CIFS"; threshold:type threshold, seconds 30, count 5, track by_src; reference:url,www.nccgroup.com/us/research-blog/technical-advisory-sonicwall-sma-100-series-heap-based-buffer-overflow-cve-2021-20043/; classtype:misc-activity; sid:2061728; rev:2; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_18, deployment Perimeter, deployment Internal
Suricata
ET EXPLOIT SonicWall SMA 100 Series - Possible Heap-Based Overflow Activity (CVE-2021-20043)
suricata·2022-01-12·CVSS 8.8
CVE-2021-20043 [HIGH] ET EXPLOIT SonicWall SMA 100 Series - Possible Heap-Based Overflow Activity (CVE-2021-20043)
ET EXPLOIT SonicWall SMA 100 Series - Possible Heap-Based Overflow Activity (CVE-2021-20043)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SonicWall SMA 100 Series - Possible Heap-Based Overflow Activity (CVE-2021-20043)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"swcctn="; fast_pattern; http.request_body; content:"bmName="; startswith; pcre:"/^[^&]{100,}/R"; threshold:type threshold, track by_src, count 3, seconds 60; reference:url,research.nccgroup.com/2021/12/09/technical-advisory-sonicwall-sma-100-series-unauthenticated-file-upload-path-traversal-cve-2021-20040/; reference:cve,2021-20043; classtype:attempted-admin; sid:2034897; rev:1; metadata:created_at 2022_01_12, cve CVE_2021_20043, confidence Medium, signature_severity
No public exploits indexed.
2021-12-08
Published