SonicWall fixes critical bug allowing SMA 100 device takeover
SonicWall has corrected a significant security hole that affects various Secure Mobile Access (SMA) 100 series products and allows unauthenticated attackers to get admin access on vulnerable devices remotely.
SMA 200, 210, 400, 410, and 500v appliances are vulnerable to attacks targeting the incorrect access control vulnerability listed as CVE-2021-20034.
There are no temporary mitigations to remove the attack vector, and SonicWall strongly advises impacted customers to install security updates as soon as possible to resolve the problem.
There will be no exploitation in the wild.
Attackers who successfully exploit this flaw can remove arbitrary files from unpatched SMA 100 secure access gateways, reboot the device to factory default settings, and potentially acquire administrator access.
SonicWall advised enterprises who use SMA 100 series appliances to immediately log in to MySonicWall.com and update the appliances to the patched firmware versions shown in the table below.
There is currently no evidence that this serious pre-auth vulnerability is being exploited in the wild, according to the business.
| Product | Platform | Impacted Version | Fixed Version |
| SMA 100 Series | • SMA 200 • SMA 210 • SMA 400 • SMA 410 • SMA 500v (ESX, KVM, AWS, Azure) | 10.2.1.0-17sv and earlier | 10.2.1.1-19sv and higher |
| 10.2.0.7-34sv and earlier | 10.2.0.8-37sv and higher | ||
| 9.0.0.10-28sv and earlier | 9.0.0.11-31sv and higher |
Targeted ransomware
Since the beginning of 2021, ransomware gangs have targeted SonicWall SMA 100 series appliances on many occasions, with the objective of migrating laterally into the target organization’s network.
For example, a threat organisation known as UNC2447 used the CVE-2021-20016 zero-day flaw in SonicWall SMA 100 appliances to spread the FiveHands ransomware strain (a DeathRansom variant just as HelloKitty).
Before security patches were issued in late February 2021, their attacks targeted a number of North American and European enterprises. In January, the same issue was utilised in attacks against SonicWall’s internal systems, and it was afterwards used indiscriminately in the wild.
SonicWall warned two months ago, in July, that unpatched end-of-life (EoL) SMA 100 series and Secure Remote Access (SRA) systems were at danger of ransomware attacks.
Security researchers from CrowdStrike and Coveware added to SonicWall’s warning, stating that the ransomware campaign was still active. Three days later, CISA validated the researchers’ findings, warning that threat actors were targeting a SonicWall vulnerability that had already been patched.
HelloKitty ransomware had been exploiting the weakness (recorded as CVE-2019-7481) for a few weeks before SonicWall’s ‘urgent security notification’ was issued, according to BleepingComputer.
SonicWall recently announced that its products are used by over 500,000 businesses in 215 countries and territories across the world. Many of them may be found on the networks of the world’s top companies, organisations, and government institutions.
