Zero-day vulnerability in SMA 100

SQL injection
CVE-2021-20016

SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting zero-day vulnerabilities on certain SonicWall secure remote access products.

At this point both SMA 100 and NetExtender VPN Client are considered affected. Investigation of the incident is still ongoing.

Vulnerability details

Advisory: SB2021012401 - SQL injection in SonicWall SMA100

Vulnerable component: SMA 100

CVE-ID: CVE-2021-20016

CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Description:

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote non-authenticated attacker can send a specially crafted HTTP request to the SSL-VPN appliance and execute arbitrary SQL commands within the application database.

Successful exploitation of this vulnerability may allow a remote attacker to access usernames, passwords and other session related information.

Note, the vulnerability is being actively exploited in the wild.

External links:

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001

https://www.sonicwall.com/support/product-notification/urgent-security-notice-netextender-vpn-client-10-x-sma-100-series-vulnerability-updated-jan-23-2021/210122173415410/