Urgent patch out for exploited SonicWall SMA zero-day

Firewall vendor SonicWall now has a patch available to address the critical zero-day vulnerability in its SMA 100-series appliances.

The new firmware, 10.2.0.5-29sv, handles a Structured Query Language command injection vulnerability that's rated as 9.8 out of 10 on the Common Vulnerabilities Scoring System, and which security vendor NCC Group reported to SonicWall earlier this month.

An unauthenticated remote attacker can issue SQL queries to access login credentials, to obtain other session-related information, and execute arbitrary code remotely, SonicWall warned.

SonicWall SMA 200, 210, 400 and 410 physical appliances are affected by the bug, along with the SMA 500v virtual one for Microsoft Azure and HyperV, AWS and VMware ESXi.

The company has pulled vulnerable SMA 100 series 10.x images from the AWS and Azure marketplaces, and will submit updated ones as soon as possible.

SonicWall expects the approval process for resubmitting the updated images to take several weeks, but customers using Azure and AWS clouds can patch via incremental updates.

While full details of the vulnerability have not been released by SonicWall, NCC Group hinted that it is in the management interface of affected devices.

Wait a minute...
This is being indiscriminately used by attackers in the wild, but you don't want to share any details about how someone can tell if they've been attacked with it?
Because you don't want people to find out about it?

— Will Dormann (@wdormann) January 31, 2021

One of the NCC Group researchers who reported the bug to SonicWall suggested administrators should set up centralised logging to capture anomalous requests to the /cgi-bin/management binary from the internet, to spot attackers trying to bypass authentication.

SonicWall advises users of its products to immediately apply the patch to avoid exploitation.

A mitigation measure using the built-in Web Application Firewall (WAF) in SMA products is available, and SonicWall is adding 60 days of complimentary entitlement for registered users.

However, the mitigation does not replace the need to apply the patched firmware, SonicWall said.