SonicWall has released a patch for the zero-day vulnerability used in attacks against the SMA 100 series of remote access appliances.
On January 22nd, SonicWall disclosed that their internal systems were attacked using a zero-day vulnerability in the SMA 100 series of SonicWall networking devices.
A little over a week later, cybersecurity firm NCC Group discovered a zero-day vulnerability for the SonicWall SMA 100 that was actively being exploited in the wild.
SonicWall later confirmed the zero-day vulnerability and announced that owners could use the built-in Web Application Firewall (WAF) to neutralize the vulnerability.
As WAF requires a paid license, SonicWall has added a free 60 day WAF license to all registered SMA 100 series devices with 10.X code.
Also Read: A Look at the Risk Assessment Form Singapore Government Requires
Today, SonicWall has released an SMA 100 series firmware 10.2.0.5-29sv update that fixes the actively exploited zero-day vulnerability in the SMA 100 series of devices.
“All SMA 100 series users must apply this patch IMMEDIATELY to avoid potential exploitation,” SonicWall says.
Impacted SMA 100 devices running affected 10.x firmware and requiring this critical patch include:
The patch addresses security bugs tracked under the SNWLID-2021-0001 advisory. The vulnerabilities allow attackers to gain admin credentials and remotely execute arbitrary code on successfully exploited devices.
The recommended update procedure for all customers using SMA 10.x firmware requires you to:
Admins who cannot immediately apply this patch should enable the Web Application Firewall (WAF) until they are ready to deploy the patch on affected devices.
At this time, SonicWall has not provided any details on the vulnerability, but tweets from NCC Group’s Ollie Whitehouse and Rich Warren indicate that it allows remote access to the management interface without authorization.
When asked on Twitter how SonicWall admins can detect if the vulnerability has been exploited on their devices, Whitehouse and Warren provide tips on detecting an “auth bypass” on the device.
“It is hard to detail what to look for without making it too easy as we saw with F5 and Citrix. Looking for unexpected management interface access is the indicator at the moment,” tweeted Whitehouse on detecting exploitation of SonicWall devices.
NCC Group’s Rich Warren went a bit further and listed specific paths in a SonicWall log that could indicate a successful exploit of the authorization bypass.
Also Read: How to Send Mass Email Without Showing Addresses: 2 Great Workarounds
For Sonicwall users performing logging, Warren states that they can look for requests to ‘/cgi-bin/management’ that do not have a previous successful request to ‘/__api__/v1/logon’ or ‘/__api__/v1/logon//authenticate.’
If these requests do exist, then it would indicate an authorization bypass to the management interface.
To check for user-level bypass via the VPN client or the web, Warren says admins should look for access log entries to:
/cgi-bin/sslvpnclient
/cgi-bin/portalIf a user accessed those paths without also previously accessing the following paths, it indicates a user-level authorization bypass.
Via VPN client:
/cgi-bin/userLogin (for VPN client)
Via web:
/__api__/v1/logon (200)
/__api__/v1/logon//authenticate
While this does not explain in detail how the vulnerability works, this information indicates that a core component, or the vulnerability itself, allows remote attackers to gain access to the internal network or management interface without needing to authenticate first.
Established in 2018, Privacy Ninja is a Singapore-based IT security company specialising in data protection and cybersecurity solutions for businesses. We offer services like vulnerability assessments, penetration testing, and outsourced Data Protection Officer support, helping organisations comply with regulations and safeguard their data.
Singapore
7 Temasek Boulevard,
#12-07, Suntec Tower One,
Singapore 038987