CVE-2021-20042

Published: Dec 8, 2021Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

An unauthenticated remote attacker can use SMA 100 as an unintended proxy or intermediary undetectable proxy to bypass firewall rules. This vulnerability affected SMA 200, 210, 400, 410 and 500v appliances.

Affected (15)

Products: Sonicwall: Sma 200 Firmware, Sma 210 Firmware, Sma 410 Firmware, Sma 400 Firmware, Sma 500v Firmware

5 products

Configuration A

3 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Sonicwall Sma 200 Firmware	Version 10.2.0.8-37sv
Sonicwall Sma 200 Firmware	Version 10.2.1.1-19sv
Sonicwall Sma 200 Firmware	Version 9.0.0.11-31sv

Running on/with	Platform Versions
Sonicwall Sma 200	All versions

Configuration B

3 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Sonicwall Sma 210 Firmware	Version 10.2.0.8-37sv
Sonicwall Sma 210 Firmware	Version 10.2.1.1-19sv
Sonicwall Sma 210 Firmware	Version 9.0.0.11-31sv

Running on/with	Platform Versions
Sonicwall Sma 210	All versions

Configuration C

3 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Sonicwall Sma 410 Firmware	Version 10.2.0.8-37sv
Sonicwall Sma 410 Firmware	Version 10.2.1.1-19sv
Sonicwall Sma 410 Firmware	Version 9.0.0.11-31sv

Running on/with	Platform Versions
Sonicwall Sma 410	All versions

Configuration D

3 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Sonicwall Sma 400 Firmware	Version 10.2.0.8-37sv
Sonicwall Sma 400 Firmware	Version 10.2.1.1-19sv
Sonicwall Sma 400 Firmware	Version 9.0.0.11-31sv

Running on/with	Platform Versions
Sonicwall Sma 400	All versions

Configuration E

3 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Sonicwall Sma 500v Firmware	Version 10.2.0.8-37sv
Sonicwall Sma 500v Firmware	Version 10.2.1.1-19sv
Sonicwall Sma 500v Firmware	Version 9.0.0.11-31sv

Running on/with	Platform Versions
Sonicwall Sma 500v	All versions

Related CWEs

CWE-441

Unintended Proxy or Intermediary ('Confused Deputy')

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

References (2)

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026

Source: PSIRT@sonicwall.com

Vendor Advisory

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0026

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.