Malware Devil

Loading...

Monday, February 8, 2021

Security Alert: [Updated] Alert Regarding Vulnerability in SonicWall SMA 100 Series (CVE-2021-20016)

JPCERT-AT-2021-0006
JPCERT/CC
2021-02-04(Initial)
2021-02-08(Update)

I. Overview

On February 3, 2021 (Local Time), SonicWall has released information regarding a vulnerability (CVE-2021-20016) in its SMA 100 series.A remote attacker leveraging this vulnerability may gain admin credential access. For more information on the vulnerability, please refer to the information provided by SonicWall.

SonicWall
Confirmed Zero-day vulnerability in the SonicWall SMA100 build version 10.x
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001

On January 22, 2021, the company announced that it had identified a coordinated attack exploiting probable zero-day vulnerabilities, and other information of vulnerability being exploited has been reported.Attackers may exploit the vulnerability and then perform further attacks once getting into victim network, which may lead to further damage.

Users of the products that are affected by this vulnerability are recommended to check the information and take measures such as applying countermeasures or workarounds as soon as possible.

II. Affected Products

Affected products and versions are as follows:

The following SMA 100 series products running on firmware version 10.x
– SMA 200
– SMA 210
– SMA 400
– SMA 410
– SMA 500v

According to SonicWall, firmware versions prior to 10.x are not affected by this vulnerability.

III. Solution

SonicWall has released the version that addresses this vulnerability.Please update to the version by referring to the information provided by SonicWall.

– 10.2.0.5-d-29sv

According to SonicWall, SMA 500v base image for Hyper-V, ESXi, Azure,AWS will be available shortly. Also, vulnerable virtual SMA 100 series 10.x images have been pulled from AWS and Azure marketplaces and updated images will be re-submitted as soon as possible.

Also, due to the potential credential exposure, users are also recommended to apply the following measures as well as updating the version:

– Reset the passwords for any users who may have logged in to the device via the web interface.
– Enable multifactor authentication (MFA) as a safety measure.

IV. Workarounds

Enabling MFA (multi-factor authentication) and resetting passwords as described above are listed as workarounds.

In addition, SonicWall says enabling the built-in Web Application Firewall (WAF) function can also mitigate the vulnerability. According to SonicWall, 60 complimentary days of WAF enablement are added to all registered SMA 100 series devices with 10.x code to enable this mitigation technique.

SonicWall
How to Configure Web Application Firewall (WAF) on the SMA 100 Series?
https://www.sonicwall.com/support/knowledge-base/210202202221923/

V. Investigation for compromise

On January 31, 2021 (local time), Rich Warren, who belongs to the NCC Group which had discovered this vulnerability, released IOC information to help with compromise investigation.

1. Authentication bypass for access to the management interface

Look for the access log for a request to ‘/cgi-bin/management’ that do not have a preliminary successful request to ‘/__api__/v1/logon’ or’/__api__/v1/logon/<id>/authenticate’. If these requests do exist, then it could indicate an authentication bypass to the management interface.

2. Authentication bypass for access to the user interface

Look for the access log for requests to ‘/cgi-bin/sslvpnclient’ or’/cgi-bin/portal’ that do not have a preliminary successful request to’/cgi-bin/userLogin’, ‘/__api__/v1/login’, or’/__api__/v1/logon/<id>/authenticate’. If such requests do exist,then it could indicate a user-level authentication bypass.

Rich Warren@buffaloverflow
https://twitter.com/buffaloverflow/status/1355874671347044354
https://twitter.com/buffaloverflow/status/1355876985726242819

Bleeping Computer
SonicWall fixes actively exploited SMA 100 zero-day vulnerability
https://www.bleepingcomputer.com/news/security/sonicwall-fixes-actively-exploited-sma-100-zero-day-vulnerability/

VI. References

SonicWall
SonicWall Publishes Critical Patch for SMA 100 Series 10.X Zero-Day Vulnerability
https://www.sonicwall.com/blog/2021/01/sonicwall-identifies-coordinated-attack-on-netextender-vpn-client-version-10-and-sma-100-series/

SonicWall
Urgent Patch Available for SMA 100 Series 10.x Firmware Zero-Day Vulnerability [Updated Feb. 3, 2 P.M. CST]
https://www.sonicwall.com/support/product-notification/urgent-security-notice-probable-sma-100-series-vulnerability-updated-jan-25-2021/210122173415410/

SonicWall
SonicWall SMA 100 Series Security Best Practice Guide
https://www.sonicwall.com/techdocs/pdf/SMA-100-Series-Security-Best-Practices-Guide.pdf

If you have any information regarding this alert, please contact JPCERT/CC.

2021-02-04 First edition
2021-02-08 Added “V. Investigation for compromise”

JPCERT Coordination Center (Early Warning Group)
MAIL: ew-info@jpcert.or.jp
https://www.jpcert.or.jp/english/

Read More

The post Security Alert: [Updated] Alert Regarding Vulnerability in SonicWall SMA 100 Series (CVE-2021-20016) appeared first on Malware Devil.



https://malwaredevil.com/2021/02/08/security-alert-updated-alert-regarding-vulnerability-in-sonicwall-sma-100-series-cve-2021-20016/?utm_source=rss&utm_medium=rss&utm_campaign=security-alert-updated-alert-regarding-vulnerability-in-sonicwall-sma-100-series-cve-2021-20016
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Barbary Pirates and Russian Cybercrime

In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...