On 16 April, US DHS CISA warned federal agencies to secure their SonicWall Secure Mobile Access (SMA) 100 series appliances against attacks exploiting a high-severity remote code execution vulnerability.
Found in CVE-2021-20035, this security flaw impacts SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v (ESX, KVM, AWS, Azure) devices. Successful exploitation can allow remote threat actors with low privileges to execute arbitrary code in low-complexity attacks. "Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user, which could potentially lead to code execution," SonicWall explains in an advisory updated this week.[1]
SonicWall patched this vulnerability almost four years ago, in September 2021, when the company said it could only be exploited to take down vulnerable appliances in denial-of-service (DoS) attacks. However, on the 14th, it updated the CVE-2021-20035 security advisory to flag it as exploited in attacks, upgrade the CVSS severity score from medium to high, and expand the impact to include code execution. "This vulnerability is believed to be actively exploited in the wild. As a precautionary measure, SonicWall PSIRT has updated the summary and revised the CVSS score to 7.2," SonicWall said.
|
Product |
Platform |
Impacted Version |
Fixed version |
|
SMA 100 Series |
• SMA 200 |
10.2.1.0-17sv and earlier |
10.2.1.1-19sv and higher |
|
10.2.0.7-34sv and earlier |
10.2.0.8-37sv and higher |
||
|
9.0.0.10-28sv and earlier |
9.0.0.11-31sv and higher |
On the 16th, CISA confirmed the vulnerability is now being abused in the wild by adding it to the Known Exploited Vulnerabilities catalog, which lists security flaws flagged by the cybersecurity agency as actively exploited in attacks.
As mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021, Federal Civilian Executive Branch (FCEB) agencies now have three weeks, until May 7th, to secure their networks against ongoing attacks.
While BOD 22-01 only applies to US federal agencies, all network defenders should prioritize patching this security vulnerability as soon as possible to block potential breach attempts. "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA warned.
In February, SonicWall also warned of an actively exploited authentication bypass flaw in Gen 6 and Gen 7 firewalls that could let hackers hijack VPN sessions.
One month earlier, the company urged customers to patch a critical vulnerability affecting SMA1000 secure access gateways following reports that it had already been exploited in zero-day attacks.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.bleepingcomputer.com/news/security/cisa-tags-sonicwall-vpn-flaw-as-actively-exploited-in-attacks/
Comments