SonicWall fixes a critical bug allowing the takeover of the SMA 100 device


SonicWall fixed a critical security vulnerability affecting several Secure Mobile Access (SMA) 100 series products that can allow unauthenticated attackers to gain administrator access to targeted devices remotely.

SMA 100 Series Appliances Vulnerable to Attacks Targeting Inappropriate Access Control Vulnerability Tracked as CVE-2021-20034 includes SMA 200, 210, 400, 410 and 500v.

There is no temporary attenuation to remove the attack vector, and SonicWall strongly urges impacted customers to deploy security updates that correct the flaw as soon as possible.

No in wild exploitation

Successful exploitation may allow attackers to delete arbitrary files from unpatched SMA 100 Secure Access Gateways to reboot to factory default settings and potentially gain administrator access to the device.

“The vulnerability is caused by improper limitation of a file path to a restricted directory that can lead to arbitrary deletion of files as a person,” the company said. noted.

SonicWall has requested organizations using SMA 100 series appliances to immediately log into to upgrade the appliances to the patched firmware versions described in the embedded table below.

The company has found no evidence that this critical pre-authentication vulnerability is currently being exploited in the wild.

Product Platform Impacted version Fixed version
SMA 100 Series • SMA 200
• SMA 210
• SMA 400
• SMA 410
• SMA 500v (ESX, KVM, AWS, Azure) and earlier versions and above and earlier versions and above and earlier and higher

Ransomware targeting

SonicWall SMA 100 series appliances have been targeted by ransomware gangs on multiple occasions since the start of 2021, with the ultimate goal of moving sideways into the target organization’s network.

For example, a Mandiant stalking threat group like UNC2447 exploited the CVE-2021-20016 zero-day bug in SonicWall SMA 100 appliances to deploy a new strain of ransomware known as FiveHands (a variant of DeathRansom just like HelloKitty).

Their attacks targeted several North American and European organizations ahead of the release of security updates in late February 2021. The same flaw was also exploited in January in attacks targeting internal SonicWall systems and was then indiscriminately abused in the nature.

Two months ago, in July, SonicWall warned of an increased risk of ransomware attacks targeting unpatched end-of-life (EoL) SMA 100 and Secure Remote Access (SRA) products.

Security researchers from CrowdStrike and Coveware added to SonicWall’s warning that the ransomware campaign was underway. CISA confirmed the researchers’ findings three days later, warning that threat actors were targeting a previously patched SonicWall vulnerability

BleepingComputer also reported at the time that the HelloKitty ransomware was exploding the vulnerability (identified as CVE-2019-7481) for a few weeks before the release of SonicWall’s “urgent security advisory”.

SonicWall recently revealed that its products are used by more than 500,000 business customers in more than 215 countries and territories around the world. Many of them are deployed across the networks of the world’s largest organizations, businesses and government agencies.


Comments are closed.