Sonicwall SMA100: Attackers abuse old vulnerability
Attacks are currently taking place on old vulnerabilities in Sonicwall's firmware for devices in the SMA100 series.
A threat actor / hacker wearing a hoodie and mask attacks a server cabinet labeled "SonicWall".
(Image: Erstellt mit KI in Bing Designer durch heise online / cku)
An old vulnerability in Sonicwall's SMA100 series firewalls is currently under active attack. This has now been announced by the US IT security authority CISA and the vulnerability has been included in the Known Exploited Vulnerabilities catalog.
However, Sonicwall has also updated a security notice and acknowledges cyberattacks that are currently being observed. The vulnerability was originally disclosed in September 2021. “Insufficient filtering of elements in the management interface of the SMA100 series allows logged-in attackers from the network to inject arbitrary commands as user 'nobody', possibly leading to a denial of service”, reads the vulnerability description of the CVE entry CVE-2021-20035, rated at that time with CVSS 6.5 as risk level “medium”.
Sonicwall: Security notice updated
Sonicwall now has a CVSS value of 7.2, meaning that the vulnerability is rated as a “high” risk level. In addition, the description at the end no longer states that attackers can provoke a denial of service, but that they can in fact apparently inject and execute malicious code as a result, as the updated notice explains. Sonicwall has also added the following under the comments section: “This vulnerability may be abused in the wild”.
Videos by heise
The SMA 200, 210, 400, 410 and 500v devices from the SMA100 series (for ESX, KVM, AWS and Azure) are vulnerable. Firmware versions 10.2.1.1-19sv, 10.2.0.8-37sv and 9.0.0.11-31sv and newer plug the exploited security leaks. IT managers should quickly apply the available updates.
Neither Sonicwall nor CISA specify what the observed (or “possible”) attacks look like and to what extent they take place. It is therefore also unclear how IT admins can recognize whether they have been attacked or even compromised.
Anyone using Sonicwall firewalls should not hesitate to install the updates provided. Time and again, cyber criminals exploit security gaps in the devices to gain unauthorized access to networks. In mid-February, for example, it became known that attackers had misused a vulnerability in Sonicwall firewalls to hijack VPN connections.
(dmk)
