US government flags worrying SonicWall flaw, so update now

News
By published

SonicWall's SMA appliances are being abused once again

A person at a laptop with a cybersecure lock symbol floating above it.
(Image credit: Shutterstock / laymanzoom)
  • SonicWall updated a security advisory for a Secure Mobile Access flaw
  • CISA added the flaw to its KEV
  • FCEB agencies have three weeks to apply the patch

The US Cybersecurity and Infrastructure Security Agency (CISA) has added an old SonicWall vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming that it is being used in the wild.

As a result, Federal Civilian Executive Branch (FCEB) agencies have three weeks to install the patch or stop using the product entirely.

In late 2021, SonicWall released a security advisory, warning its users about an improper neutralization vulnerability affecting multiple SonicWall Secure Mobile Access (SMA) appliances. At the time, the company said the bug could be used to take down vulnerable endpoints with a Denial-of-Service (DoS) attack. However, the company has now updated the advisory to warn about in-the-wild abuse and to upgrade its severity score from medium to high (7.2).

Monitor your credit score with TransUnion starting at $29.95/month

Monitor your credit score with TransUnion starting at $29.95/month

TransUnion is a credit monitoring service that helps you stay on top of your financial health. With real-time alerts, credit score tracking, and identity theft protection, it ensures you never miss important changes. You'll benefit from a customizable online interface with clear insights into your credit profile. Businesses also benefit from TransUnion’s advanced risk assessment tools.

Preferred partner (What does this mean?)

View Deal

Abuse in the wild

"Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user, which could potentially lead to code execution," SonicWall said.

The flaw affects SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v (ESX, KVM, AWS, Azure) devices.

At the same time, CISA added the bug to KEV, warning about abuse in the wild. While its Binding Operational Directive 22-01 (which forces organizations to install the patch) only applies to government agencies, those in the private sector should take note when KEV gets a new entry.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," CISA said.

In 2021, SonicWall suffered one of its largest attacks ever, when a threat actor tracked as UNC2447 abused an SQL injection vulnerability in the SMA100 instance to gain unauthorized access to networks. Following the breach, they deployed the Sombrat backdoor and a ransomware variant dubbed FiveHands.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.