On Friday, January 22, SonicWall publicly disclosed a coordinated attack on its internal systems that it believes involved zero-day vulnerabilities in a number of its products. Information originally shared by SonicWall about the attack and the vulnerabilities was limited.
SonicWall publicly shared details about a zero-day SQL injection vulnerability involved in the attack, now tracked as CVE-2021-20016. This vulnerability affects SonicWall Secure Mobile Access (SMA) 100 10.x appliances, allowing an unauthenticated attacker to send a SQL query to a vulnerable system and extract user credentials. SonicWall has released a new firmware version—10.2.0.5-29sv—that patches against this vulnerability.
Security researchers have already released one report of threat actors exploiting this vulnerability in the wild, and Arctic Wolf expects more to follow soon. We strongly recommend that customers running the affected SMA 100 Series appliances update to the latest firmware version and apply the additional security measures described in steps 2 and 3 in the “Recommendations” section below.
Arctic Wolf is actively monitoring the information SonicWall releases about CVE-2021-20016 for new technical details that will help us enhance methods to detect and defend against attacks that exploit this vulnerability.
The following SMA 100 Appliances with 10.x firmware are affected by this vulnerability:
- Physical Appliances: SMA 200, SMA 210, SMA 400, SMA 410
- Virtual Appliances: SMA 500v (Azure, AWS, ESXi, HyperV)
Based on the information SonicWall has provided, the following describes a likely attack scenario:
- Attacker identifies an SMA appliance exposed to the public internet and sends a specially crafted SQL query
- User credentials are returned to the attacker
- Attacker leverages the credentials to log in to the appliance via the built-in web interface, where they can make malicious configuration changes and/or pivot into the organization’s internal network.
Arctic Wolf advises all customers with affected SMA Series 100 Appliances to take the following actions recommended by SonicWall:
- Update the firmware on affected appliances to version 10.2.0.5-29sv. It is available to download from SonicWall’s “MySonicWall” portal
- Reset the passwords for all SMA Appliance users
- Enable multifactor authentication on all SMA Appliance user accounts
Customers who are unable to update the firmware in a timely manner should at least apply steps 2 and 3.