SonicWall issues firmware patch after attackers exploited critical bugs

SonicWall today made available a critical patch for two vulnerabilities in its Secure Mobile Access 100 series products featuring 10.x firmware, which malicious actors exploited in a cyberattack against the infosec firm last month. 

Days after SonicWall disclosed the incident on Jan. 22, researchers with the NCC Group on Jan. 31 and Feb. 2 confirmed the presence of the two bugs, enabling the development of a fix. One flaw consists of an exploit that enables admin credential access, and the other is a remote code execution attack.

A SonicWall security advisory describes one vulnerability – designated CVE-2021-20016 and granted a CVSS score of 9.8 – as a SQL injection bug “in the SonicWall SSLVPN SMA100 product that allows a remote unauthenticated attacker to perform SQL query to access username password and other session-related information.”

SonicWall’s firmware update to version 10.2.0.5-29sv repairs the affected products, which are listed as the SMA 200, SMA 210, SMA 400 and SMA 410 appliances and the SMA 500v virtual appliance (for Azure, AWS, ESXi, and HyperV). SonicWall said that at this time it is “not aware of any forensic data that can be viewed by the user to determine whether a device has been attacked.”

Those who do upgrade the firmware are advised to “reset the passwords for any users who may have logged in to the device via the web interface” as well as enable multi-factor authentication. Those unable to install the patch at this time can apply a temporary mitigation technique by enabling their devices’ built-in web application firewall (WAF) feature.

SonicWall also noted that it pulled vulnerable virtual SMA 100 series 10.x images from AWS and Azure marketplaces. Updated images will be re-submitted as soon as possible, the company stated.