SonicWall SMA 100 Series Zero-Day Attack

Updates and remediation instructions have been released to address a zero-day vulnerability being actively exploited against SonicWall SMA 100 Series gateways.

Threat ID:: CC-3741
Category:: Exploit
Threat Severity:: Medium
Threat Vector:: Exploit
Published:: 4 February 2021 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Updates and remediation instructions have been released to address a zero-day vulnerability being actively exploited against SonicWall SMA 100 Series gateways.

Affected platforms

The following platforms are known to be affected:

SonicWall SMA 100 Series devices with 10.X firmware, including SMA 200 / 210 / 400 / 410 / 500v (Azure, AWS, ESXi, HyperV)

Threat details

Introduction

SonicWall has released a firmware update and additional remediation instructions to address an active zero-day attack against its SMA 100 Series gateways, which are marketed for smaller workplaces.

A remote attacker could exploit the vulnerability to steal credentials or take control of an affected device. Vulnerable devices may have already been exploited.

Vulnerability details and indicators of compromise have not been released at the time of publication.

Remediation advice

Administrators should immediately review SonicWall's security advisory and upgrade affected devices to firmware version SMA 10.2.0.5-29sv.

Login credentials may have already been compromised from vulnerable devices. Therefore passwords should be reset for any user accounts that may have logged into an affected device via the web interface, including administrative accounts. Multi-factor authentication (MFA) should be enabled as an additional safety precaution against use of stolen credentials. SonicWall's Security Best Practice Guide for the SMA 100 series gives detailed steps and further recommendations for securely configuring these devices.

Administrators unable to immediately deploy firmware updates can enable the built-in Web Application Firewall (WAF) feature to mitigate the vulnerability. SonicWall is enabling WAF free of charge for 60 days on all registered SMA 100 series devices running affected firmware versions. SonicWall advises that this mitigation should only be used as a safety measure until firmware updates can be applied.

Any suspected attacks should be reported to the Cyber Security Operations Centre.

Definitive source of threat updates

https://www.sonicwall.com/support/product-notification/additional-sma-100-series-10-x-and-9-x-firmware-updates-required-updated-feb-19-2-p-m-cst/210122173415410/

CVE Vulnerabilities

Status Published

CVE-2021-20016

A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information. This vulnerability impacts SMA100 build version 10.x.

Last edited: 22 February 2021 4:51 pm