Get patching: SonicWall warns of vulnerabilties in SMA 100 series remote access devices

Patch now, as researchers will publish a proof-of-concept exploit in January 2022.
Written by Liam Tung, Contributing Writer

SonicWall is warning customers to apply firmware updates to its SMA 100 Series appliances for remote access from mobile devices, in order to patch vulnerabilities of critical and medium severity. 

SonicWall says in an advisory that it "strongly urges" customers to apply new fixes to address eight flaws that the US Cybersecurity and Infrastructure Agency (CISA) warns would allow a remote attacker to take control of an affected system. CISA recommends customers apply the necessary firmware updates "as soon as possible", in part because they've historically been popular targets for attackers.    

The eight bugs range from critical to medium severity and affect a sensitive piece of the network since they provide employees with remote access to internal resources. 

SEE: A winning strategy for cybersecurity (ZDNet special report)

The eight bugs were discovered by researchers at Rapid7 and NCC Group. The most dangerous of them has a severity rate of 9.8 out of a possible 10.

SonicWall's Secure Mobile Access (SMA) SMA 100 Series appliances for small and medium businesses enable secure remote access from mobile devices anywhere via its NetExtender and Mobile Connect VPNs. 

Affected SMA 100 series appliances include SMA 200, 210, 400, 410 and 500v products. SonicWall notes its SMA 100 series appliances with WAF enabled are also impacted by the majority of the vulnerabilities.

"There are no temporary mitigations. SonicWall urges impacted customers to implement applicable patches as soon as possible," SonicWall notes

It adds that there was no evidence of these vulnerabilities being exploited in the wild. However, now that the bugs have been publicly disclosed, attackers may soon develop exploits for them, especially since bugs in SMA 100 appliances have been exploited quickly in the past. 

Rapid7 says it "will release the technical details and proof-of-concept code in January 2022 as part of our coordinated vulnerability disclosure process."

CISA emphasizes that it warned in July that attackers were actively targeting a previously patched vulnerability in SonicWall SMA 100 series appliances. 

FireEye's incident response group Mandiant in May reported that threat actors linked to the notorious Darkside ransomware-as-a-service were exploiting the flaw (CVE-2021-20016) in SMA 100 seres appliances. Highlighting the speed with which attackers exploit new flaws in key equipment, SonicWall had released firmware to address the issues in late April. DarkSide was network responsible for the Colonial Pipeline ransomware attack that downed its US east cost fuel distribution network for nearly a week in May.  

Editorial standards