Threat Response – SonicWall fixes critical bug allowing SMA 100 device takeover

24-09-2021

On Friday 24th September, SonicWall has patched a critical security flaw impacting several Secure Mobile Access (SMA) 100 series products that can let unauthenticated attackers remotely gain admin access on targeted devices. [1]

Description

The SMA 100 series appliances are vulnerable to attacks targeting the improper access control vulnerability tracked as CVE-2021-20034 [2]. This includes devices SMA 200, 210, 400, 410, and 500v. Successful exploitation can let attackers delete arbitrary files from unpatched SMA 100 devices and reboot to default settings. Consequently, attackers may gain administrator access to the device.

There are no temporary mitigations to remove the attack vector, and SonicWall strongly urges organisations using SMA 100 series appliances to deploy security updates that address the flaw as soon as possible.

Impact

Successful exploitation may lead to gaining complete control of the firewall and thus the capability to gain access to the organisation’s network. Therefore we assess the impact as high.

Risk

Although there is currently no evidence that this vulnerability is being exploited in the wild, however SonicWall SMA 100 series appliances have been targeted by ransomware groups multiple times since the start of 2021 [1]. In July 2021, SonicWall warned of an increased risk of ransomware attacks [3] targeting unpatched end-of-life (EoL) SMA 100 series and Secure Remote Access (SRA) products. For this reason, we estimate the risk as high.

What should you do?

Log in to MySonicWall.com to upgrade the appliances to the patched firmware versions outlined in the table embedded below.

Product Platform Impacted Version Fixed Version
SMA 100 Series • SMA 200
• SMA 210
• SMA 400
• SMA 410
• SMA 500v (ESX, KVM, AWS, Azure)
10.2.1.0-17sv and earlier 10.2.1.1-19sv and higher
10.2.0.7-34sv and earlier 10.2.0.8-37sv and higher
9.0.0.10-28sv and earlier 9.0.0.11-31sv and higher

What will Northwave do?

Northwave is investigating the possibilities for monitoring exploitation attempts of this vulnerability, and will implement detection rules when possible.

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. If you need additional information you can call us by phone or send us an email.

E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85 043 7909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.

Sources

[1]: https://www.bleepingcomputer.com/news/security/sonicwall-fixes-critical-bug-allowing-sma-100-device-takeover/
[2]: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0021

[3]: https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-critical-ransomware-risk-to-eol-sma-100-vpn-appliances/

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.