SonicWall Severely Vulnerable to SSLVPN SMA1000

SonicWall “strongly” recommends that customers fix a high-risk vulnerability in its Secure Mobile Access (SMA) 1000 series products that could compromise unpatched appliances.

https://www.sonicwall.com/support/knowledge-base/security-notice-sma-1000-series-unauthenticated-access-control-bypass/220510172939820/

The SonicWall Product Security & Incident Response Team (PSIRT) has identified and patched a vulnerability affecting Secure Mobile Access (SMA) 1000 Series products. and patches have been applied.

Unauthenticated access control bypass
Use of hard-coded/shared cryptographic key
URL redirection to an untrusted site (open redirection)

SonicWall SMA 1000 SSLVPN solutions are used by enterprises to simplify end-to-end secure remote access to corporate resources in on-premise, cloud, and hybrid data center environments.

The first vulnerability (unauthenticated access control bypass of severity “high”) is currently being tracked as CVE-2022-22282, while the other two vulnerabilities (hard-coded encryption key and open redirect of severity “medium”) are still awaiting issuance of CVE ID.

SonicWall strongly recommends that organizations using SMA 1000 Series products upgrade to the latest patch

The company also commented that this vulnerability does not affect SMA 1000 series and SMA 100 series products, CMS, and remote access clients running versions prior to 12.4.0

The vulnerability affects the following models of the SMA 1000 series: 6200, 6210, 7200, 7210, 8000v (ESX, KVM, Hyper-V, AWS, Azure).

Of the three vulnerabilities, CVE-2022-22282 is the most serious because it allows an unauthenticated attacker to bypass access controls and access internal resources.

This vulnerability can be remotely exploited in low complexity attacks that do not require user interaction.

Also, weaknesses in hardcoded encryption keys can have serious consequences if exploited by an unpatched attacker to gain access to encrypted credentials.

According to MITRE’s CWE database, “The use of hardcoded encryption keys significantly increases the likelihood that encrypted data will be recovered.

“If a hard-coded encryption key is used, it is almost certain that a malicious user will gain access through said account.”

SonicWall device targeted by ransomware

Since the SMA 1000 series of VPN appliances are used to protect remote connections to corporate networks, attackers are likely to consider ways to exploit them.

The company’s VPN products also have a history of being the target of ransomware attacks, with the HelloKitty / FiveHands operator having been confirmed to have exploited a zero-day vulnerability in the SMA 100 appliance.

As recently as July 2021, SonicWall warned of an increased risk of ransomware attacks targeting its discontinued SMA 100 Series and Secure Remote Access products.

SonicWall’s products are used by over 500,000 enterprise customers from 215 countries and regions worldwide, many of which are deployed in the networks of government agencies and the world’s largest corporations.

Leave a Reply

Your email address will not be published.