SonicWall released patch for actively exploited SMA 100 zero-day

SonicWall has released a security patch to address the zero-day flaw actively exploited in attacks against the SMA 100 series appliances.

SonicWall this week released firmware updates (version 10.2.0.5-29sv) to address an actively exploited zero-day vulnerability in Secure Mobile Access (SMA) 100 series appliances.

The vulnerability, tracked as CVE-2021-20016, has been rated as critical and received a CVSS score of 9.8.

A vulnerability results in improper SQL command neutralization in the SonicWall SSLVPN SMA100 product, it could be exploited by a remote, unauthenticated attacker for credential access on SMA100 build version 10.x.

“A vulnerability resulting in improper SQL command neutralization in the SonicWall SSLVPN SMA100 product allows remote exploitation for credential access by an unauthenticated attacker. This vulnerability impacts SMA100 build version 10.x.” reads the advisory.

Customers have to update their installs as soon as possible, the company also revealed that the updates includes additional secuity enhancements.

“SonicWall is announcing the availability of an SMA 100 series firmware 10.2.0.5-29sv update to patch a zero-day vulnerability on SMA 100 series 10.x code. All SMA 100 series users must apply this patch IMMEDIATELY to avoid potential exploitation.” reads the advisory published by the company.

The updates are available for the following appliances:

• Physical Appliances: SMA 200, SMA 210, SMA 400, SMA 410
• Virtual Appliances: SMA 500v (Azure, AWS, ESXi, HyperV)

SonicWall disclosed a security breach on January 22, it blamed sophisticated threat actors for the intrusion.

On January, 29 SonicWall announced it was investigating the presence of a zero-day vulnerability in the Secure Mobile Access (SMA) gateways.  

SMA gateways are used by enterprise organizations to provide access to resources on intranets to remote employees.

At the end of January, security experts from the firm NCC Group have detected “indiscriminate” exploitation of a SonicWall zero-day in attacks in the wild.

NCC Group first disclosed the attacks on SonicWall devices on Sunday but did not provide details about the flaw exploited by the threat actors.

At the time, the NCC team confirmed to have demonstrated how to exploit a possible candidate for the vulnerability.

SonicWall experts pointed out that proof of concept (PoC) exploit code utilizing the Shellshock exploit shared on social media is not effective against its devices.

“We’re also aware of social media posts that shared either supposed proof of concept (PoC) exploit code utilizing the Shellshock exploit, or screenshots of allegedly compromised devices.  We have confirmed that the Shellshock attack has been mitigated by patches that we released in 2015.   We have also tested the shared PoC code and have so far concluded that it is not effective against firmware released after the 2015 patch.” continues the update. “However, we’ll continue to closely monitor any new posts and investigate new information.  This should also serve as a reminder to our customer base to always patch and keep current on internet facing devices.”

Waiting for the patches were available, SonicWall also released an updated security best practices guide for the SMA 100 series devices.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SonicWall)

[adrotate banner=”5″]

[adrotate banner=”13″]