Information security specialists reported the detection of two severe vulnerabilities affections SonicWall SMA 100. According to the report, successful exploitation of these flaws would allow threat actors collecting multiple user details.
Below are brief descriptions of the reported flaws, as well as their tracking keys and scores according to the Common Vulnerability Scoring System (CVSS).
CVE-2021-20049: The affected product’s password change API is vulnerable to different responses sent for exiting and non-existing users. Remote threat actors could exploit the flaw to enumerate usernames in the compromised system.
This is a low severity vulnerability and received a CVSS score of 3.2/10.
CVE-2021-20050: The improper access restrictions to multiple management APIs would allow remote non-authenticated hackers to obtain configuration meta-data.
This is a medium severity vulnerability and received a CVSS score of 4.6/10.
According to the report, these flaws reside in the following SonicWall SMA 100 versions: 10.2.0.2-20sv, 10.2.0.3-24sv, 10.2.0.5-d-29sv, 10.2.0.6-31sv, 10.2.0.7-34sv, 10.2.0.8-37sv, 10.2.1.0-17sv, 10.2.1.1-19sv & 10.2.1.2-24sv.
Reported vulnerabilities can be exploited by remote non-authenticated attackers via the Internet, but information security specialists have detected no active exploitation attempts. Still, experts recommend applying the official patches to prevent any exploitation risk.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.