SonicWall Releases Fixes for New Critical Flaw in SMA 100 Series Devices
Network security company SonicWall fixed a critical security vulnerability in its Secure Mobile Access (SMA) 100 series appliances that can allow remote and unauthenticated attackers to gain administrator access to targeted devices remotely.
Tracked as CVE-2021-20034, the arbitrary file deletion flaw is ranked 9.1 out of a maximum of 10 on the CVSS scoring system, and could allow an adversary to bypass pathway checks and remove n ‘any file, causing the devices to restart at the factory. default settings.
“The vulnerability is caused by improperly limiting a file path to a restricted directory that could lead to files being arbitrarily deleted as ‘person’,” the San Jose-based company noted in a notice released Thursday. “There is no evidence that this vulnerability is being exploited in the wild.”
SonicWall credited Alpha Lab’s Wenxu Yin, Qihoo 360, with reporting the security vulnerability, which affects the SMA 100 series – SMA 200, SMA 210, SMA 400, SMA 410 and SMA 500v – running the following versions:
- 22.214.171.124-28sv and earlier
- 10.2.0.7-34sv and earlier versions
- 10.2.1.0-17sv and earlier versions
Since there is no workaround to address the attack vector and SonicWall devices have become a lucrative target for threat actors to deploy ransomware in recent months, customers are advised to upgrade implement applicable fixes as soon as possible to mitigate any potential operational risk.