Critical SonicWall Flaws Could Give Hackers Control Of Systems

‘SonicWall devices have previously been exploited at scale in 2021 and are generally high-value targets for attackers,’ writes Rapid7, which discovered five of the eight SonicWall vulnerabilities disclosed this week.

SonicWall disclosed eight vulnerabilities in its Secure Mobile Access (SMA) appliances that government officials warned could allow remote attackers to take control of affected systems.

The Milpitas, Calif.-based platform security vendor revealed Tuesday that the flaws impact SMA 200, 210, 400, 310 and 510v products even when the web application firewall (WAF) is enabled. Three of the eight vulnerabilities are considered critical since they could allow remote unauthenticated attackers to execute code as the ‘nobody’ user in compromised SMA 100 series remote access appliances.

“There are no temporary mitigations,” SonicWall wrote in a product security notice. “SonicWall urges impacted customers to implement applicable patches as soon as possible.”

[Related: SonicWall: ‘Imminent Risk’ Of Ransomware Attack]

The vulnerabilities were reported by Rapid7 Lead Security Researcher Jake Baines and NCC Group Offensive Security Researcher Richard Warren, and could allow a remote authenticated attacker to execute arbitrary commands as the root user, resulting in the remote takeover of the device. Three of the bugs are considered to be high severity, while the remaining two are classified as medium severity.

Other high severity flaws in SonicWall’s SMA 100 would allow remote adversaries to: consume all the device’s CPU, potentially causing a Denial of Service (DoS); modify or delete files in the cgi-bin directory; and reboot the system remotely. Four of the vulnerabilities were discovered by Rapid7, three were discovered by NCC Group, and one was identified by both organizations, according to SonicWall.

“SonicWall devices have previously been exploited at scale in 2021 and are generally high-value targets for attackers,” Rapid7 Program Manager Glenn Thorpe wrote in a blog post Wednesday. “Rapid7 will release the technical details and proof-of-concept code in January 2022 as part of our coordinated vulnerability disclosure process.”

There aren’t currently any reports of the latest SonicWall bugs being exploited in the wild, but the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned in July that hackers were actively targeting a known, previously patched, vulnerability in SonicWall SMA 100 series appliances. CISA and security researchers said in July that SonicWall appliances were being hit with HelloKitty ransomware.

“Organizations that fail to take appropriate actions to mitigate these vulnerabilities on their SRA [Secure Remote Access] and SMA 100 series products are at imminent risk of a targeted ransomware attack,” SonicWall wrote in an urgent security notice posted July 14.

This is not the first time SonicWall has experienced product security issues this year. In February, the company confirmed its SMA 100 appliance had a critical zero-day bug a day after researchers said the vulnerability was being exploited in the wild.

PE Hub reported in June that private equity firm Francisco Partners and activist hedge fund Elliott Management are preparing to sell SonicWall after nearly five years of ownership. SonicWall brings in nearly $400 million of revenue each year, is growing 10 percent annually, and could be valued at more than $2.5 billion based on an analysis of other quality cybersecurity vendors, PE Hub said at the time.