SonicWall fixes actively exploited SMA 100 zero-day vulnerability

[mood]

SonicWall fixes actively exploited SMA 100 zero-day vulnerability

 

 

SonicWall has released a patch for the zero-day vulnerability used in attacks against the SMA 100 series of remote access appliances.

 

On January 22nd, SonicWall disclosed that their internal systems were attacked using a zero-day vulnerability in the SMA 100 series of SonicWall networking devices.

 

A little over a week later, cybersecurity firm NCC Group discovered a zero-day vulnerability for the SonicWall SMA 100 that was actively being exploited in the wild.

 

SonicWall later confirmed the zero-day vulnerability and announced that owners could use the built-in Web Application Firewall (WAF) to neutralize the vulnerability.

 

As WAF requires a paid license, SonicWall has added a free 60 day WAF license to all registered SMA 100 series devices with 10.X code.

Patch released to fix the zero-day vulnerability

Today, SonicWall has released an SMA 100 series firmware 10.2.0.5-29sv update that fixes the actively exploited zero-day vulnerability in the SMA 100 series of devices.

"All SMA 100 series users must apply this patch IMMEDIATELY to avoid potential exploitation," SonicWall says.

 

Impacted SMA 100 devices running affected 10.x firmware and requiring this critical patch include:

• Physical Appliances: SMA 200, SMA 210, SMA 400, SMA 410
• Virtual Appliances: SMA 500v (Azure, AWS, ESXi, HyperV)

 

The patch addresses security bugs tracked under the SNWLID-2021-0001 advisory. The vulnerabilities allow attackers to gain admin credentials and remotely execute arbitrary code on successfully exploited devices.

 

The recommended update procedure for all customers using SMA 10.x firmware requires you to:

1. Upgrade to SMA 10.2.0.5-29sv firmware, available from www.mysonicwall.com. 
   • This firmware is available for everybody, regardless of the status of their support/service contract.
   • Instructions on how to update the SMA 100 10.x series firmware can be found in this KB article for physical appliances and this KB article for virtual devices.
2. Reset the passwords for any users who may have logged in to the device via the web interface. 
3. Enable multifactor authentication (MFA) as a safety measure.
   • MFA has an invaluable safeguard against credential theft and is a key measure of good security posture.
   • MFA is effective whether it is enabled on the appliance directly or on the directory service in your organization.

 

Admins who cannot immediately apply this patch should enable the Web Application Firewall (WAF) until they are ready to deploy the patch on affected devices.

Zero-day details hinted

At this time, SonicWall has not provided any details on the vulnerability, but tweets from NCC Group's Ollie Whitehouse and Rich Warren indicate that it allows remote access to the management interface without authorization.

 

When asked on Twitter how SonicWall admins can detect if the vulnerability has been exploited on their devices, Whitehouse and Warren provide tips on detecting an "auth bypass" on the device.

"It is hard to detail what to look for without making it too easy as we saw with F5 and Citrix. Looking for unexpected management interface access is the indicator at the moment," tweeted Whitehouse on detecting exploitation of SonicWall devices.

 

NCC Group's Rich Warren went a bit further and listed specific paths in a SonicWall log that could indicate a successful exploit of the authorization bypass.

 

For Sonicwall users performing logging, Warren states that they can look for requests to '/cgi-bin/management' that do not have a previous successful request to '/__api__/v1/logon' or '/__api__/v1/logon//authenticate.'

 

If these requests do exist, then it would indicate an authorization bypass to the management interface.

 

To check for user-level bypass via the VPN client or the web, Warren says admins should look for access log entries to:

/cgi-bin/sslvpnclient
/cgi-bin/portal

If a user accessed those paths without also previously accessing the following paths, it indicates a user-level authorization bypass.

Via VPN client:

/cgi-bin/userLogin (for VPN client)

Via web:

/__api__/v1/logon (200)
/__api__/v1/logon//authenticate

 

While this does not explain in detail how the vulnerability works, this information indicates that a core component, or the vulnerability itself, allows remote attackers to gain access to the internal network or management interface without needing to authenticate first.

 

 

Source: SonicWall fixes actively exploited SMA 100 zero-day vulnerability

[mood]

SonicWall releases additional update for SMA 100 vulnerability

 

 

SonicWall has released a second firmware update for an SMA-100 zero-day vulnerability known to be used in attacks and is warning to install it immediately.

 

Last month, SonicWall disclosed that their internal systems were attacked using a zero-day vulnerability in their SMA-100 remote access devices. 

 

A week later, cybersecurity firm NCC Group discovered the zero-day vulnerability used in this attack actively exploited in the wild.

 

On February 3rd, Sonicwall released a fix for the zero-day vulnerability and strongly recommended all users install it.

Additional safeguards added to the firmware

Yesterday, SonicWall announced new firmware updates for SMA-100 series devices that provide additional safeguards discovered since their last update.

"Following up on the Feb. 3 firmware update outlined below, SonicWall is announcing the availability of new firmware versions for both 10.x and 9.x code on the SMA 100 series products, comprised of SMA 200, 210, 400, 410 physical appliances and the SMA 500v virtual appliance."

"SonicWall conducted additional reviews to further strengthen the code for the SMA 100 series product line," SonicWall announced in an update to their SMA-100 security advisory.

 

While SonicWall does not describe what specific security fixes are in this update, they stress that all users should "IMMEDIATELY" upgrade their devices.

 

The changes in this new update are:

The new SMA 10.2 firmware includes:

• Code-hardening fixes identified during an internal code audit
• Rollup of customer issue fixes not included in the Feb. 3 patch
• General performance enhancements
• Previous SMA 100 series zero-day fixes posted on Feb. 3

The new 9.0 firmware includes:

• Code-hardening fixes identified during an internal code audit

These updates apply to the SMA 200, SMA 210, SMA 400, SMA 410 physical devices, and the SMA 500v (Azure, AWS, ESXi, HyperV) virtual appliances.

 

Owners can find instructions on how to apply the updates in SonicWall's advisory.

 

 

Source: SonicWall releases additional update for SMA 100 vulnerability