We research. You level up.
Protect your devices, your data, and your privacy—at home or on the go.
“Thanks to the Malwarebytes MSP program, we have this high-quality product in our stack. It’s a great addition, and I have confidence that customers’ systems are protected.”
Featured Event: RSA 2021
Activate Malwarebytes Privacy on Windows device.
Exploits and vulnerabilities
SonicWall has issued a security notice about its SMA 100 series of appliances. The vulnerability could potentially allow a remote unauthenticated attacker the ability to delete arbitrary files from a SMA 100 series appliance and gain administrator access to the device.
SonicWall is a company that specializes in securing networks. It sells a range of Internet appliances primarily directed at content control and network security, including devices providing services for network firewalls, unified threat management (UTM), virtual private networks (VPNs), and anti-spam for email.
In June of 2021 we wrote about another vulnerability in the same Secure Mobile Access (SMA) 100 series. Back then SonicWall had been made aware of an imminent ransomware campaign using stolen credentials.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This vulnerability is listed under CVE-2021-20034 and is due to an improper limitation of a file path to a restricted directory, potentially leading to arbitrary file deletion without any authentication, which can result in a remote attacker obtaining administrator access on the underlying host.
The critical bug has received a score of 9.1 out of 10 on the CVSS scale of severity. At the moment there is no evidence that this vulnerability is being exploited in the wild.
Basically the vulnerability is an improper access control vulnerability in SMA-100 allows a remote unauthenticated attacker to bypass path traversal checks and delete an arbitrary file. Which, if the attacker knows what they are doing, can potentially result in a reboot to factory default settings. With the default settings in place the attacker can gain administrator privileges by using the factory default credentials.
The appliances that are affected are SMA 100, 200, 210, 400, 410, and 500v. Since there are no temporary mitigations, SonicWall urges impacted customers to implement applicable patches as soon as possible. A detailed list with impacted platforms and versions can be found here.
SonicWall customers can log in to its MySonicWall.com website to get updated firmware for their appliances. (The update also fixes a local privilege escalation weakness, and a denial-of-service vulnerability.)
In context of the previous vulnerability, we want to add the advice to change the administrator password on the appliances, especially if they are still set to the default. Threat actors my be inclined to scan for Internet-facing devices and try to gain access by using the default or leaked credentials.
Stay safe, everyone!
SHARE THIS ARTICLE
ABOUT THE AUTHOR
Malware Intelligence Researcher
Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.
Write for Labs
Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.
Imagine a world without malware. We do.
NEWS AND PRESS
© All Rights Reserved
Select your language
Your intro to everything relating to cyberthreats, and how to stop them.
We research. You level up.