SonicWall

SonicWall "strongly urges" customers to patch several high-risk security flaws impacting its Secure Mobile Access (SMA) 1000 Series line of products that can let attackers bypass authorization and, potentially, compromise unpatched appliances.

SonicWall SMA 1000 SSLVPN solutions are used by enterprises to simplify end-to-end secure remote access to corporate resources across on-prem, cloud, and hybrid data center environments.

While the first flaw (an unauthenticated access control bypass rated as high severity) is now tracked as CVE-2022-22282, the other two (a hard-coded cryptographic key and an open redirect, both rated as medium severity) are still waiting for a CVE ID to be issued.

"There are no temporary mitigations. SonicWall urges impacted customers to implement applicable patches as soon as possible," the company says in a security advisory published this week.

However, SonicWall also pointed out that it found "no evidence that these vulnerabilities are being exploited in the wild."

It also added that the vulnerabilities do not affect SMA 1000 series running versions earlier than 12.4.0, SMA 100 series products, CMS, and remote access clients.

The security bugs impact the following SMA 1000 Series models: 6200, 6210, 7200, 7210, 8000v (ESX, KVM, Hyper-V, AWS, Azure).

Summary CVSS Score Impacted Firmware Fixed Firmware
Unauthenticated access control bypass 8.2 (High) 12.4.0
12.4.1
12.4.1-02994
Use of hard-coded cryptographic key 5.7 (Medium) 12.4.0
12.4.1
12.4.1-02994
URL redirection to an untrusted site (open redirection) 6.1 (Medium) 12.4.0
12.4.1
12.4.1-02994

Of the three vulnerabilities, CVE-2022-22282 is the most severe as it allows unauthenticated attackers to bypass access control and gain access to internal resources.

This bug can be exploited remotely in low complexity attacks that do not require any user interaction to pull off.

The hard-coded cryptographic key weakness can also have serious consequences if left unpatched and exploited by attackers, as it will enable them to get access to encrypted credentials.

"The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered," according to MITRE's CWE database.

"If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question."

SonicWall devices targeted by ransomware

Since SMA 1000 series VPN appliances are used to secure remote connections into corporate networks, threat actors will most likely look into ways to exploit them.

The company's VPN products also have a history of being targeted in ransomware attacks, with HelloKitty / FiveHands operators observed exploiting zero-day flaws in SMA 100 appliances.

In July 2021, SonicWall also warned of an increased risk of ransomware attacks targeting end-of-life SMA 100 series and Secure Remote Access products.

Over 500,000 business customers from 215 countries and territories worldwide are using SonicWall's products, many of them deployed on the networks of government agencies and the world's largest companies.

Related Articles:

VMware urges admins to remove deprecated, vulnerable auth plug-in

New Fortinet RCE bug is actively exploited, CISA confirms

ExpressVPN bug has been leaking some DNS requests for years

Critical SonicWall firewall patch not released for all devices

Apple fixes two new iOS zero-days exploited in attacks on iPhones