CVE-2021-20016

What is SonicWall SMA100?

SonicWall Secure Mobile Access (SMA) 100 series appliances (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v) are enterprise SSL VPN gateways that provide remote access to corporate networks for employees and contractors. The SMA 100 series is a dedicated remote access platform — unlike the EOL SRA series — and was actively supported at the time of this vulnerability. Because VPN gateways are internet-facing by design and serve as the entry point to corporate networks, SQL injection vulnerabilities in the authentication layer are particularly severe: they allow credential theft that enables legitimate-looking network access.

Overview

CVE-2021-20016 is an SQL injection vulnerability (CWE-89) in SonicWall SMA 100 series SSL VPN appliances that allows unauthenticated remote attackers to extract VPN user credentials from the appliance's database by exploiting the authentication flow. This was a zero-day: SonicWall announced active exploitation on January 22, 2021 — before a patch was available — and warned customers to restrict SMA 100 access. The patch was released on February 3, 2021. Ransomware operators used credentials obtained via this SQL injection to establish VPN sessions and access corporate networks for ransomware deployment.

Affected Versions

Technical Details

The SMA 100 series authentication flow includes SQL queries that process user-supplied login credentials. These queries are constructed without adequate parameterization:

• Root cause: SQL injection (CWE-89) — the authentication process incorporates user-supplied input (username, password parameters) into SQL queries without proper parameterization or escaping
• Credential extraction: By crafting SQL injection payloads in the authentication parameters, an attacker can manipulate the SQL queries to read the VPN user credential database, extracting usernames and password hashes (or potentially plaintext credentials depending on storage method)
• Authentication bypass: The SQL injection can also potentially bypass the authentication check itself by manipulating the query result to always evaluate as successful
• No authentication required: The SQL injection is exploitable in the pre-authentication login flow
• Credential use: Stolen VPN credentials are used to establish legitimate VPN sessions, providing network access that appears as authorized user activity in logs

Discovery

Discovered through active exploitation observed by SonicWall PSIRT. SonicWall announced the zero-day exploitation on January 22, 2021 before a patch was ready, urging customers to implement immediate mitigations. SonicWall characterized the exploitation as "an imminent ransomware campaign using stolen VPN credentials."

Exploitation Context

SonicWall explicitly warned in January 2021 of "an imminent ransomware campaign using stolen credentials from" the vulnerability. Ransomware groups including RYUK, Conti, and others were confirmed to have exploited SonicWall VPN vulnerabilities for initial network access in 2021. The stolen credentials enable persistent access that is harder to detect than typical malware persistence — attackers log in as legitimate users and use legitimate VPN infrastructure for lateral movement.

Remediation

1. Apply SonicWall firmware 10.x.0.0-34sv (or later) to all SMA 100 series appliances immediately
2. Immediately rotate all VPN user credentials — if exploitation occurred before patching, all stored credentials must be treated as compromised
3. Require multi-factor authentication (MFA) for all VPN access — MFA prevents credential theft from enabling access even if credentials are extracted
4. Review SMA 100 access logs for suspicious login activity, particularly logins from unusual source IPs or geographies
5. If SMA 100 was exposed to the internet without MFA before patching, treat all VPN user accounts as potentially compromised and perform a thorough review of VPN session logs
6. Check Active Directory for new accounts, privilege changes, or lateral movement activity that may have occurred through stolen VPN sessions