SonicWall firewall vulnerability can be exploited to install ransomware like Colonial Pipeline. Patch now

SonicWall security teams released a security alert to invite their customers to install patches that address a critical post-auth vulnerability present in local versions of the Network Security Manager (NSM) firewall solution. Tracked as CVE-2021-20026, the flaw resides in NSM versions prior to v2.2.0-R10-H1 and was fixed with the release of v2.2.1-R6 and 2.2.1-R6 Enhaced.

According to the report, the flaw received a score of 8.8/10 according to the Common Vulnerability Scoring System (CVSS) and can be exploited by authenticated threat actors on the vulnerable system to inject arbitrary commands of low complexity and without interaction from the target user.

The developers of SonicWall mention that the flaw is potentially critical due to the triviality of the exploitation and the possible malicious scenarios arising from a successful attack: “Although we have detected no incidents of active exploitation, we strongly urge users to update as soon as possible; it should be clarified that SaaS versions of the product concerned are not affected.”

Since the time the flaw was unveiled several members of the cybersecurity community have tried to contact the company for additional details, though SonicWall has not issued any new updates to the report.

For a few months now SonicWall has become a frequent target of malicious hacking groups, so even zero-day active exploit campaigns have been detected. SonicWall has been working at a brisk pace in developing multiple security patches to address all the flaws that hackers have tried to exploit, primarily targeting SMA 100 series network devices.

One of the most notorious attacks was identified by analysts at security firm Mandiant, and focused on the abuse of zero-day flaws in the SonicWall SMA 100 series VPN devices for the injection of the dangerous ransomware variant known as FiveHands. This same attack was detected on SonicWall’s internal systems in early 2021 and was subsequently identified in several active attacks; experts think this was the attack variant that hackers used to target Colonial Pipeline’s IT infrastructure.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.