25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

SonicWall Recommends Immediate Firmware Upgrade to Fix Critical Flaws in SMA 100 Series Appliances

Posted By on Dec 9, 2021

SonicWall has released new firmware for its Secure Mobile Access (SMA) 100 series remote access appliances that fixes 8 vulnerabilities including 2 critical and 4 high-severity flaws.

Vulnerabilities in SonicWall appliances are attractive to threat actors and have been targeted in the past in ransomware attacks. While there are currently no known cases of the latest batch of vulnerabilities being exploited in the wild, there is a high risk of these vulnerabilities being exploited if the firmware is not updated promptly. SMA 100 series appliances include the SonicWall SMA 200, 210, 400, 410, and 500v secure access gateway products, all of which are affected.

The most serious vulnerabilities are buffer overflow issues which could be exploited remotely by an unauthenticated attacker to execute code on vulnerable appliances. These are CVE-2021-20038, an unauthenticated stack-based buffer overflow vulnerability (CVSS score of 9.8), and CVE-2021-20045, which covers multiple unauthenticated file explorer heap-based and stack-based buffer overflow issues (CVSS score 9.4). A further heap-based buffer overflow vulnerability – CVE-2021-20043 – allows remote code execution, although an attacker would need to be authenticated (CVSS score 8.8).

The remaining 3 high-severity vulnerabilities are CVE-2021-20041 – an unauthenticated CPU exhaustion vulnerability (CVSS score 7.5); CVE-2021-20039 – an authenticated command injection vulnerability (CVSS score 7.2); and CVE-2021-20044 – a post-authentication remote code execution vulnerability (CVSS score 7.2).

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Two medium-severity vulnerabilities have also been fixed: CVE-2021-20040 – an unauthenticated file upload path traversal vulnerability (CVSS score 6.5) and CVE-2021-20042 – an unauthenticated ‘confused deputy’ vulnerability (CVSS score 6.3).

The firmware update can be accessed at MySonicWall.com and should be applied as soon as possible to prevent exploitation. SonicWall says there are no temporary mitigations that can be implemented to prevent exploitation of the flaws.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist