DESCRIPTION:
An improper access control vulnerability (CVE-2021-20034) in SMA100 allows a remote unauthenticated attacker to bypass the path traversal checks and delete an arbitrary file potentially resulting in a reboot to factory default settings.
AFFECTED RELEASES:
SMA 100 Series — SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v — running the following versions:
10.2.0.7-34sv and earlier
10.2.1.0-17sv and earlier
9.0.0.10-28sv and earlier
SOLUTION:
Users and system administrators of affected products are advised to apply the security updates immediately from the following URL:
https://www.sonicwall.com/support/product-notification/security-notice-critical-arbitrary-file-delete-vulnerability-in-sonicwall-sma-100-series-appliances/210819124854603/
REFERENCE:
1. https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0021
2. https://thehackernews.com/2021/09/sonicwall-issues-patches-for-new.html
3. https://www.sonicwall.com/support/product-notification/security-notice-critical-arbitrary-file-delete-vulnerability-in-sonicwall-sma-100-series-appliances/210819124854603/
4. https://nvd.nist.gov/vuln/detail/CVE-2021-20034