Security Experts:

SonicWall Patches SMA Zero-Day Vulnerability Exploited in Attacks

SonicWall on Wednesday announced that it released firmware updates for its Secure Mobile Access (SMA) 100 series appliances to patch an actively exploited zero-day vulnerability.

The patch is included in firmware version, which users have been advised to immediately apply to avoid potential attacks. The vendor said the patch also contains additional code designed to strengthen devices.

SonicWall, which specializes in firewalls and other cybersecurity solutions, previously told SecurityWeek that a few thousand devices are exposed to attacks due to the vulnerability.SonicWall patches SMA zero-day

The critical patch can be applied to SMA 200, 210, 400 and 410 physical appliances, and SMA 500v virtual appliances on Azure, AWS, ESXi and Hyper-V. Other SonicWall products do not appear to be impacted.

The vulnerability, which has been rated critical with a CVSS score of 9.8, now also has a CVE identifier: CVE-2021-20016.

The company explained that a hacker can launch a “remote code execution attack” after gaining access to admin credentials.

“A vulnerability resulting in improper SQL command neutralization in the SonicWall SSLVPN SMA100 product allows remote exploitation for credential access by an unauthenticated attacker,” reads SonicWall’s advisory for CVE-2021-20016.

SonicWall informed customers on January 22 that its internal systems were targeted in an attack apparently launched by sophisticated threat actors that may have exploited zero-day vulnerabilities in the company’s secure remote access products.

The company launched an investigation, but couldn’t confirm the existence of a zero-day vulnerability in its SMA 100 series appliances until February 1, shortly after cybersecurity firm NCC Group reported seeing “indiscriminate” attempts to exploit what appeared to be a previously unknown security flaw.

Until the patches were made available, SonicWall shared some recommendations on how customers can prevent potential attacks, including by enabling multi-factor authentication, blocking access to appliances on the firewall, shutting down vulnerable devices, or downgrading firmware to a version that is not affected.

Shortly after SonicWall disclosed the breach, some anonymous individuals claimed the company was hit by ransomware and the attackers had stolen source code and customer data, but none of those claims have been confirmed. The “proof” seen by SecurityWeek at the time seemed questionable.

SonicWall says it cannot provide any additional information at this time.

Related: Critical Vulnerability Allows Hackers to Disrupt SonicWall Firewalls

Related: Serious Vulnerabilities Expose SonicWall SMA Appliances to Remote Attacks

Related: IoT Botnets Target Apache Struts, SonicWall GMS

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.