CVE-2021-20045
published 2021-12-08CVE-2021-20045: A buffer overflow vulnerability in SMA100 sonicfiles RAC_COPY_TO (RacNumber 36) method allows a remote unauthenticated attacker to potentially execute code as…
PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
25.21%
97.7th percentile
A buffer overflow vulnerability in SMA100 sonicfiles RAC_COPY_TO (RacNumber 36) method allows a remote unauthenticated attacker to potentially execute code as the 'nobody' user in the appliance. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | sma_200_firmware | — | — |
| sonicwall | sma_200_firmware | — | — |
| sonicwall | sma_210_firmware | — | — |
| sonicwall | sma_210_firmware | — | — |
| sonicwall | sma_400_firmware | — | — |
| sonicwall | sma_400_firmware | — | — |
| sonicwall | sma_410_firmware | — | — |
| sonicwall | sma_410_firmware | — | — |
| sonicwall | sma_500v_firmware | — | — |
| sonicwall | sma_500v_firmware | — | — |
| sonicwall | sonicwall_sma100 | — | — |
| sonicwall | sonicwall_sma100 | — | — |
| sonicwall | sonicwall_sma100 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/fileshare/sonicfiles/?
otherRacNumber=36
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SMA Unauthenticated Stack Buffer Overflow (CVE-2021-20045) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/fileshare/sonicfiles|2f 3f|"; fast_pattern; content:"User|3d|"; pcre:"/^[^\x26]{136,}/R"; content:"RacNumber|3d|36"; reference:url,www.nccgroup.com/us/research-blog/technical-advisory-sonicwall-sma-100-series-multiple-unauthenticated-heap-based-and-stack-based-buffer-overflow-cve-2021-20045/; reference:cve,2021-20045; classtype:web-application-attack; sid:2061730; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_18, cve CVE_2021_20045, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SMA Unauthenticated Stack Buffer Overflow (CVE-2021-20045) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/fileshare/sonicfiles|2f 3f|"; fast_pattern; content:"Pass|3d|"; pcre:"/^[^\x26]{136,}/R"; content:"RacNumber|3d|36"; reference:url,www.nccgroup.com/us/research-blog/technical-advisory-sonicwall-sma-100-series-multiple-unauthenticated-heap-based-and-stack-based-buffer-overflow-cve-2021-20045/; reference:cve,2021-20045; classtype:web-application-attack; sid:2061731; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_18, cve CVE_2021_20045, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SMA Unauthenticated Heap Buffer Overflow (CVE-2021-20045)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/fileshare/sonicfiles|2f 3f|"; fast_pattern; content:"Domn|3d|"; pcre:"/^[^\x26]{128,}/R"; content:"RacNumber|3d|36"; reference:url,www.nccgroup.com/us/research-blog/technical-advisory-sonicwall-sma-100-series-multiple-unauthenticated-heap-based-and-stack-based-buffer-overflow-cve-2021-20045/; reference:cve,2021-20045; classtype:web-application-attack; sid:2061732; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_18, cve CVE_2021_20045, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_04_18, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Exploit traffic targets HTTP POST to /fileshare/sonicfiles/? — monitor for POST requests to this URI path on SMA 100-series appliances.
- →Stack overflow variant M1: look for the 'User' POST parameter with a value of 136+ non-ampersand characters, combined with RacNumber=36.
- →Stack overflow variant M2: look for the 'Pass' POST parameter with a value of 136+ non-ampersand characters, combined with RacNumber=36.
- →Heap overflow variant: look for the 'Domn' POST parameter with a value of 128+ non-ampersand characters, combined with RacNumber=36.
- →The vulnerable method is RAC_COPY_TO with RacNumber 36 — RacNumber=36 in the POST body is a reliable indicator of exploitation attempts against this specific method. ↗
- →Rules require TLS decryption (tls_state TLSDecrypt) to be effective — deploy on SSL-inspecting perimeter sensors or internal decryption points.
- ·Detection rules require TLS/SSL inspection to be in place; without decryption, encrypted exploit traffic will not be inspectable by these signatures.
- ·Affected appliances are SMA 200, 210, 400, 410, and 500v only — scope detection to those device types to reduce false positives. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SERVER SonicWall SMA Unauthenticated Stack Buffer Overflow (CVE-2021-20045) M2
suricata·2025-04-18·CVSS 9.8
CVE-2021-20045 [CRITICAL] ET WEB_SERVER SonicWall SMA Unauthenticated Stack Buffer Overflow (CVE-2021-20045) M2
ET WEB_SERVER SonicWall SMA Unauthenticated Stack Buffer Overflow (CVE-2021-20045) M2
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SMA Unauthenticated Stack Buffer Overflow (CVE-2021-20045) M2"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/fileshare/sonicfiles|2f 3f|"; fast_pattern; content:"Pass|3d|"; pcre:"/^[^\x26]{136,}/R"; content:"RacNumber|3d|36"; reference:url,www.nccgroup.com/us/research-blog/technical-advisory-sonicwall-sma-100-series-multiple-unauthenticated-heap-based-and-stack-based-buffer-overflow-cve-2021-20045/; reference:cve,2021-20045; classtype:web-application-attack; sid:2061731; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_18, cve CVE_2021_20045, de
Suricata
ET WEB_SERVER SonicWall SMA Unauthenticated Heap Buffer Overflow (CVE-2021-20045)
suricata·2025-04-18·CVSS 9.8
CVE-2021-20045 [CRITICAL] ET WEB_SERVER SonicWall SMA Unauthenticated Heap Buffer Overflow (CVE-2021-20045)
ET WEB_SERVER SonicWall SMA Unauthenticated Heap Buffer Overflow (CVE-2021-20045)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SMA Unauthenticated Heap Buffer Overflow (CVE-2021-20045)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/fileshare/sonicfiles|2f 3f|"; fast_pattern; content:"Domn|3d|"; pcre:"/^[^\x26]{128,}/R"; content:"RacNumber|3d|36"; reference:url,www.nccgroup.com/us/research-blog/technical-advisory-sonicwall-sma-100-series-multiple-unauthenticated-heap-based-and-stack-based-buffer-overflow-cve-2021-20045/; reference:cve,2021-20045; classtype:web-application-attack; sid:2061732; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_18, cve CVE_2021_20045, deployment
Suricata
ET WEB_SERVER SonicWall SMA Unauthenticated Stack Buffer Overflow (CVE-2021-20045) M1
suricata·2025-04-18·CVSS 9.8
CVE-2021-20045 [CRITICAL] ET WEB_SERVER SonicWall SMA Unauthenticated Stack Buffer Overflow (CVE-2021-20045) M1
ET WEB_SERVER SonicWall SMA Unauthenticated Stack Buffer Overflow (CVE-2021-20045) M1
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SERVER SonicWall SMA Unauthenticated Stack Buffer Overflow (CVE-2021-20045) M1"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/fileshare/sonicfiles|2f 3f|"; fast_pattern; content:"User|3d|"; pcre:"/^[^\x26]{136,}/R"; content:"RacNumber|3d|36"; reference:url,www.nccgroup.com/us/research-blog/technical-advisory-sonicwall-sma-100-series-multiple-unauthenticated-heap-based-and-stack-based-buffer-overflow-cve-2021-20045/; reference:cve,2021-20045; classtype:web-application-attack; sid:2061730; rev:1; metadata:affected_product SonicWall, attack_target Server, tls_state TLSDecrypt, created_at 2025_04_18, cve CVE_2021_20045, de
No public exploits indexed.
2021-12-08
Published