-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2021.0037.2
       SonicWall Confirms SMA 100 Series 10.X Zero-Day Vulnerability
                              5 February 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          SMA 200
                  SMA 210
                  SMA 400
                  SMA 410
                  SMA 500v
Operating System: Network Appliance
                  Virtualisation
Impact/Access:    Administrator Compromise -- Remote/Unauthenticated
Resolution:       Mitigation
CVE Names:        CVE-2021-20016  

Revision History: February 5 2021: Firmware update fixing vulnerability made available
                  February 2 2021: Initial Release

OVERVIEW

        SonicWall is vulnerable to an improper SQL command neutralization in 
        SMA100 build version 10.x[1].


IMPACT

        The vendor has provided the following details regarding this issue:
        
        "A vulnerability resulting in improper SQL command neutralization in the 
        SonicWall SSLVPN SMA100 product allows remote exploitation for credential 
        access by an unauthenticated attacker. This vulnerability impacts SMA100 
        build version 10.x"[1]
        
        "CVSS v3   9.8
        
        CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"[1]
        
        "Affected SMA 100 devices with 10.x firmware that requires the critical patch
        
        - Physical Appliances: SMA 200, SMA 210, SMA 400, SMA 410
        - Virtual Appliances: SMA 500v (Azure, AWS, ESXi, HyperV)"[1]


MITIGATION

        SonicWall has announced "the availability of an SMA 100 series firmware 
        10.2.0.5-29sv update to patch a zero-day vulnerability on SMA 100 series 
        10.x code. All SMA 100 series users must apply this patch IMMEDIATELY to 
        avoid potential exploitation" including recommended upgrade steps and 
        additional background and details [2], [3].
        
        SonicWall has provided the following recommendations:
        
        "1) Enable multifactor authentication (MFA) as a safety measure.
        
         - MFA has an invaluable safeguard against credential theft and is a key measure 
          of good security posture.
        
          - MFA is effective whether it is enabled on the appliance directly or on the 
          directory service in your organization.
        
        2) Enable WAF on SMA100.
        
        3) Reset the passwords for any users who may have logged into the device 
           via the web interface." [1]


REFERENCES

        [1] CONFIRMED ZERO-DAY VULNERABILITY IN THE SONICWALL SMA100 BUILD
            VERSION 10.X
            https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001

        [2] Urgent Security Notice: NetExtender VPN Client 10.X, SMA 100 Series
            Vulnerability
            https://www.sonicwall.com/support/product-notification/210122173415410

        [3] SonicWall SMA 100 Series - Security Best Practice Guide
            https://www.sonicwall.com/techdocs/pdf/SMA-100-Series-Security-Best-Practices-Guide.pdf

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYBy82uNLKJtyKPYoAQivjxAAgDkb5WriKm9iNAHEy2PBEGsRNtAuBLdb
Z4eQ2iebIFsXDI5eDsun2+3ke9FSH4r1o0MzYpbqClo+/qvK3dZpIpH59jRYCNlO
8wTssIxbIPor+F5Ln9hDHFwr/esbjj2pkoaU/D++Ycllf26vPks00pIEmkHGmxON
9NVOHhQRJRYIU8XzOpsoUR9EoD0tYwTA+/5crbH6kODmbhEPJYlJh9wjq8mwwFgU
H348sF2Lc4IpjD4AWN6E6Ef/qtEZv/19ClisZtfxtrVAJ1t1jQTDwiYSnRabOcR2
UeCom1B0SF+ZiyZPSzmf1L114uRREIZUw7AVLe27jrXyM78mDtv7V7QfHjTAYpnP
bdJDqH6Unqe+FZASLW+O0fAsfB8TT9SNOkGBpP6ORL/kWEr5ew1Ao1npZDd4jF8g
m7q/OsX3WPjzGBwdXXVRh9eGDibg6D4Oo+Fx/XCk94pxFXET8BL+MbljM6xY6lLg
ncH9T3XZcZiT7+InPZxu2mCooY7/CyPBFVJwmLAwN5Yt/x4DTPwBbz+M9vRhDUkh
YYB4DwSXuXu/cMzhC1wIUfFvZ72VbEKiYY/2kIZxqgsxqM7zZvgXELu9HHfTetoY
cxENxw728esmaxXNiLpNmN1PQ0nQKXmo95exWiSZlIZysikixwcczH7ASGCzIK/6
4Yh9FtFpcTI=
=VMU1
-----END PGP SIGNATURE-----