SonicWall released a patch for a 0-day bug under attack

SonicWall released a patch
Written by Emma Davis

SonicWall presented an update within which it released a patch for a 0-day bug that, according to experts, was under attack by hackers.

At the end of January 2021, it became known that the SonicWall company suffered from the “coordinated hacker attack” that exploited a certain vulnerability in the company’s own products.

Soon after, experts reported that a mysterious zero-day vulnerability in SonicWall’s network devices was already under “indiscriminate” attacks. At the same time, analysts were convinced that they had discovered the very same 0-day vulnerability, with which they hacked SonicWall itself.

This week, the company finally released a firmware update ( for the SMA 100 series devices that were under attack.

All users of SMA 200, SMA 210, SMA 400, SMA 410 and virtual SMA 500v (Azure, AWS, ESXi, HyperV) hardware solutions should install this update immediately.the developers emphasize.

According to the security bulletin, the patch resolves issues that could allow attackers to obtain administrator credentials and remotely execute arbitrary code on devices.

Although representatives of SonicWall still do not disclose almost any details of the vulnerability, experts from the NCC Group shed light on what is happening, having previously discovered attacks on this vulnerability. For example, on Twitter, Ollie Whitehouse and Rich Warren offer tips for detecting “authentication bypass” on a device.

It’s hard to explain exactly what to look for without oversimplifying everything, as we’ve seen with the F5 and Citrix examples. Nowadays, unexpected access to the management interface should be viewed as a direct indicator of a compromise.wrote Whitehouse.

Rich Warren, in turn, went even further and listed certain paths that may indicate a successful bypass of authorization in the SonicWall logs. According to him, requests for / cgi-bin / management may indicate a compromise if they were not preceded by successful requests to /__api__/v1/logon or/__api__/v1/logon//authenticate.

To check user-level bypass through a VPN client or the Internet, look for entries about / cgi-bin / sslvpnclient and / cgi-bin / portal in the access logs. If the user accessed these paths without first accessing the paths listed below, this indicates a bypass of authorization. Via VPN client: /cgi-bin/userLogin. Through the web: /__api__/v1/logon (200) and /__api__/v1/logon//authenticate.

Concluding, the data provided by the researchers indicates that the vulnerability allows remote attackers to gain access to the internal network or control interface without prior authentication.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.