Urgent Patch Available For SMA 100 Series 10.X Firmware Zero-Day Vulnerability [Updated Feb. 3, 2 P.M. CST]
UPDATE: FEBRUARY 3, 2021, 2. P.M. CST
SonicWall is announcing the availability of an SMA 100 series firmware 10.2.0.5-29sv update to patch a zero-day vulnerability on SMA 100 series 10.x code. All SMA 100 series users must apply this patch IMMEDIATELY to avoid potential exploitation.
Affected SMA 100 Devices with 10.x Firmware that Require the Critical Patch:
- Physical Appliances: SMA 200, SMA 210, SMA 400, SMA 410
- Virtual Appliances: SMA 500v (Azure, AWS, ESXi, HyperV)
Please read this notice in its entirety as it contains important details for post-upgrade steps.
The patch addresses vulnerabilities reported to SonicWall by the NCC Group on Jan. 31 and Feb. 2, tracked under PSIRT Advisory ID SNWLID-2021-0001. These include an exploit to gain admin credential access and a subsequent remote-code execution attack.
Upgrade Recommended Steps
Due to the potential credential exposure in SNWLID-2021-0001, all customers using SMA 10.x firmware should immediately follow the following procedures:
- Upgrade to SMA 10.2.0.5-29sv firmware, available from www.mysonicwall.com.
- This firmware is available for everybody, regardless of the status of their support/service contract.
- Instructions on how to update the SMA 100 10.x series firmware can be found in this KB article for physical appliances and this KB article for virtual devices.
- Reset the passwords for any users who may have logged in to the device via the web interface.
- Enable multifactor authentication (MFA) as a safety measure.
- MFA has an invaluable safeguard against credential theft and is a key measure of good security posture.
- MFA is effective whether it is enabled on the appliance directly or on the directory service in your organization.
NOTE: SMA 500v base image downloads from www.mysonicwall.com for Hyper-V, ESXi, Azure, AWS will be available shortly.
Additional WAF Mitigation Method
Customers unable to immediately deploy the patch can also enable the built-in Web Application Firewall (WAF) feature to mitigate the vulnerability in SNWLID-2021-0001 on SMA 100 series 10.x devices.
Please follow the guidance in the following KB article to enable WAF functionality: https://www.sonicwall.com/support/knowledge-base/210202202221923/
SonicWall is adding 60 complimentary days of WAF enablement to all registered SMA 100 series devices with 10.x code to enable this mitigation technique.
While this mitigation has been found in our lab to mitigate SNWLID-2021-0001, it does *not* replace the need to apply the patch in the long term and should only be used as a safety measure until the patched firmware is installed.
- We currently are not aware of any forensic data that can be viewed by the user to determine whether a device has been attacked. However, we will post an update as we get more information.
- Vulnerable virtual SMA 100 series 10.x images have been pulled from AWS and Azure marketplaces and updated images will be re-submitted as soon as possible. We expect the approval process to take several weeks. In the meantime, customers in Azure and AWS can update via incremental updates.
Release notes for the firmware can be found in the downloads section of www.mysonicwall.com
UPDATE: FEBRUARY 3, 2021, 6. A.M. CST
SonicWall engineering teams continue to finalize the SMA 100 series 10.x patch that addresses the zero-day vulnerability. The new estimate for delivery is mid-day Feb. 3 (PST).
Meanwhile, as outlined below, you can enable the built-in Web Application Firewall (WAF) functionality on the SMA 100 series appliance to help protect against the vulnerability. Please follow the guidance in the following KB article to enable WAF functionality on the SMA 100 series appliance:https://www.sonicwall.com/support/knowledge-base/security-best-practice-for-configuring-web-application-firewall/210202202221923/.
UPDATE: FEBRUARY 2, 2021, 11. P.M. CST
The SMA 100 series 10.x patch announced yesterday to address the zero-day vulnerability is still undergoing final testing and our new estimate for delivery is early Feb. 3 (PST).
Meanwhile, we have identified an additional mitigation to remediate the attack on the SMA 100 series 10.x firmware. The built-in Web Application Firewall (WAF) functionality has been observed in our testing to neutralize the zero-day vulnerability. Please follow the guidance in the following KB article to enable WAF functionality on the SMA 100 series appliance: https://www.sonicwall.com/support/knowledge-base/210202202221923/
SonicWall is adding 60 complimentary days of WAF enablement to all registered SMA 100 series devices with 10.X code in order to enable this mitigation technique. This 60-day license will be automatically enabled within “www.MySonicWall.com” accounts of registered SMA 100 series devices before the end of today, Feb. 2 (PST).
The Feb. 3 patch remains the definitive solution to the zero-day vulnerability. The patch will include additional code-strengthening and should be applied immediately upon availability.
[+]UPDATE: February 1, 2021, 2.30 P.M. CST
[+]UPDATE: January 29, 2021, 5.30 P.M. CST
[+]UPDATE January 29, 2021. 7 A.M. CST.
[+]UPDATE January 27, 2021. 7 P.M. CST.
[+]UPDATE January 25, 2021. 5.30 P.M. CST.
[+]UPDATE: January 23, 2021, 9:30 P.M. CST.
[+]UPDATE: January 22, 2021. 10:15 P.M. CST.