---
licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0)
licence_link: https://creativecommons.org/licenses/by/4.0/
licence_restrictions: https://cert.europa.eu/legal-notice
licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies
title: 'SonicWall 0-day Vulnerabilities'
version: '1.1'
number: '2021-006'
date: 'February 4, 2021'
---
_History:_
* _02/02/2021 --- v1.0 -- Initial publication_
* _04/02/2021 --- v1.1 -- Update with info about a patch and possible IoCs_
# Summary
On January 22nd, SonicWall has disclosed that it has been hacked in an attack that exploited zero-day vulnerabilities in several of its own VPN software products, SMA 100 series [1, 2]. On February 3rd, SonicWall has released a new firmware update that fixes the vulnerability [4].
# Technical Details
On January 22nd, the manufacturer informed that faced a _coordinated attack_ with unknown actors leveraged zero-day vulnerabilities in SonicWall products to target its internal systems [1, 3]. They said that the attack was carried out by _highly sophisticated threat actors_ but has not released any information on the identity of the assailants.
The vulnerability results in improper SQL command neutralisation in the SonicWall SSLVPN SMA100 product and allows remote exploitation for credential access by an unauthenticated attacker [5].
# Affected Products
This vulnerability affects SMA100 build version 10.x [5]:
- Physical Appliances: SMA 200, SMA 210, SMA 400, SMA 410
- Virtual Appliances: SMA 500v (Azure, AWS, ESXi, HyperV)
# Recommendations
CERT-EU strongly recommends to upgrade your affected appliance(s) to the last version of the firmware (SMA 10.2.0.5-29sv) [6, 7].
Moreover, CERT-EU recommends to take the following actions:
- Reset the passwords for any users who may have logged in to the device via the web interface.
- Enable multi-factor authentication (MFA).
Admins who cannot immediately apply this patch should enable the Web Application Firewall (WAF) until they are ready to deploy the patch on affected devices.
## Hunting for Compromise
NCC Group shared some guidance on how to look for potential indicators of compromise [4]. Administrators could look for requests to `/cgi-bin/management` that do not have a previous successful request to `/__api__/v1/logon` or `/__api__/v1/logon//authenticate`. If these requests do exist, then it would indicate an authorisation bypass to the management interface.
To check for user-level bypass via the VPN client or the web, administrators should look for access log entries to:
```
/cgi-bin/sslvpnclient
/cgi-bin/portal
```
If a user accessed these paths without also previously accessing the following paths, it indicates a _user-level_ authorisation bypass.
Via VPN client:
/cgi-bin/userLogin (for VPN client)
Via web:
/__api__/v1/logon (200)
/__api__/v1/logon//authenticate
# References
[1]
[2]
[3]
[4]
[5]
[6]
[7]