TZUTC: -0500
MSGID: 1039.consprcy@1:2320/105 2c67a87e
PID: Synchronet 3.20a-Linux master/acc19483f Apr 26 202 GCC 12.2.0
TID: SBBSecho 3.20-Linux master/acc19483f Apr 26 2024 23:04 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
US government flags worrying SonicWall flaw, so update now

Date:
Fri, 18 Apr 2025 13:03:00 +0000

Description:
SonicWall updates its security advisory, and CISA added the flaw to KEV.

FULL STORY

The US Cybersecurity and Infrastructure Security Agency (CISA) has added an
old SonicWall vulnerability to its Known Exploited Vulnerabilities (KEV)
catalog, confirming that it is being used in the wild. 

As a result, Federal Civilian Executive Branch (FCEB) agencies have three
weeks to install the patch or stop using the product entirely. 

In late 2021, SonicWall released a security advisory, warning its users about
an improper neutralization vulnerability affecting multiple SonicWall Secure
Mobile Access (SMA) appliances. At the time, the company said the bug could 
be used to take down vulnerable endpoints with a Denial-of-Service (DoS)
attack. However, the company has now updated the advisory to warn about
in-the-wild abuse and to upgrade its severity score from medium to high 
(7.2). 

"Improper neutralization of special elements in the SMA100 management
interface allows a remote authenticated attacker to inject arbitrary commands
as a 'nobody' user, which could potentially lead to code execution," 
SonicWall said. 

The flaw affects SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v (ESX, KVM,
AWS, Azure) devices. 

At the same time, CISA added the bug to KEV, warning about abuse in the wild.
While its Binding Operational Directive 22-01 (which forces organizations to
install the patch) only applies to government agencies, those in the private
sector should take note when KEV gets a new entry. 

"These types of vulnerabilities are frequent attack vectors for malicious
cyber actors and pose significant risks to the federal enterprise," CISA 
said. 

In 2021, SonicWall suffered one of its largest attacks ever, when a threat
actor tracked as UNC2447 abused an SQL injection vulnerability in the SMA100
instance to gain unauthorized access to networks. Following the breach, they
deployed the Sombrat backdoor and a ransomware variant dubbed FiveHands. 

 Via BleepingComputer

======================================================================
Link to news story:
https://www.techradar.com/pro/security/us-government-flags-worrying-sonicwall-
flaw-so-update-now

$$
--- SBBSecho 3.20-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/305 153/7715 154/110 218/700 226/30
SEEN-BY: 227/114 229/110 111 114 206 300 307 317 400 426 428 470 664
SEEN-BY: 229/700 705 266/512 291/111 320/219 322/757 342/200 396/45
SEEN-BY: 460/58 712/848 902/26 2320/0 105 3634/12 5075/35
PATH: 2320/105 229/426