{"id": "AKB:15082D97-CB46-4433-9BA3-6C37DC148340", "type": "attackerkb", "bulletinFamily": "info", "title": "SonicWall SMA 100 Series 10.x Firmware Zero-Day Vulnerability", "description": "Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products. The impacted products are:\n\n * Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances and the SMA 500v virtual appliance\n\n \n**Recent assessments:** \n \n**wvu-r7** at February 04, 2021 10:34pm UTC reported:\n\nPlease see the [Rapid7 analysis](<https://attackerkb.com/topics/BFh8B71dfn/sonicwall-sma-100-series-10-x-firmware-zero-day-vulnerability#rapid7-analysis>).\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 4\n", "published": "2021-02-06T00:00:00", "modified": "2021-02-06T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://attackerkb.com/topics/BFh8B71dfn/sonicwall-sma-100-series-10-x-firmware-zero-day-vulnerability", "reporter": "AttackerKB", "references": ["https://nvd.nist.gov/vuln/detail/CVE-2021-20016", "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001", "https://www.sonicwall.com/support/product-notification/urgent-patch-available-for-sma-100-series-10-x-firmware-zero-day-vulnerability-updated-feb-3-2-p-m-cst/210122173415410/", "https://twitter.com/NCCGroupInfosec/status/1355850304596680705"], "cvelist": ["CVE-2021-20016"], "lastseen": "2021-02-09T12:16:44", "viewCount": 74, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:78B79B61-E949-48E9-BA41-A45CF0E9EA6C"]}, {"type": "cve", "idList": ["CVE-2021-20016"]}, {"type": "nessus", "idList": ["SONICWALL_SMA_SNWLID-2021-0001.NASL"]}], "modified": "2021-02-09T12:16:44", "rev": 2}, "score": {"value": 5.6, "vector": "NONE", "modified": "2021-02-09T12:16:44", "rev": 2}, "vulnersScore": 5.6}, "attackerkb": {"attackerValue": 5, "exploitability": 4}, "wildExploited": true}

{"attackerkb": [{"lastseen": "2021-02-09T12:17:06", "bulletinFamily": "info", "cvelist": ["CVE-2021-20016"], "description": "A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information. This vulnerability impacts SMA100 build version 10.x.\n\n \n**Recent assessments:** \n \n**wvu-r7** at February 05, 2021 5:49pm UTC reported:\n\nPlease see the [Rapid7 analysis on the zero-day vulnerability](<https://attackerkb.com/topics/BFh8B71dfn/sonicwall-sma-100-series-10-x-firmware-zero-day-vulnerability#rapid7-analysis>). It is suspected that CVE-2021-20016 was used to compromise SonicWall\u2019s internal network.\n\nAssessed Attacker Value: 5 \nAssessed Attacker Value: 4\n", "modified": "2021-02-04T00:00:00", "published": "2021-02-04T00:00:00", "id": "AKB:78B79B61-E949-48E9-BA41-A45CF0E9EA6C", "href": "https://attackerkb.com/topics/VbhtmNhPun/cve-2021-20016", "type": "attackerkb", "title": "CVE-2021-20016", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2021-02-09T14:43:31", "description": "A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product allows a remote unauthenticated attacker to perform SQL query to access username password and other session related information. This vulnerability impacts SMA100 build version 10.x.", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-04T06:15:00", "title": "CVE-2021-20016", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-20016"], "modified": "2021-02-08T14:40:00", "cpe": ["cpe:/o:sonicwall:sma_200_firmware:-", "cpe:/o:sonicwall:sma_210_firmware:-", "cpe:/a:sonicwall:sma_500v:-", "cpe:/o:sonicwall:sma_400_firmware:-", "cpe:/o:sonicwall:sma_410_firmware:-"], "id": "CVE-2021-20016", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20016", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:sonicwall:sma_400_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_410_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_200_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:o:sonicwall:sma_210_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:a:sonicwall:sma_500v:-:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-02-10T23:22:35", "description": "According to its self-reported version, the remote SonicWall Secure Mobile Access is affected by a remote code\nexecution vulnerability. An unauthenticated, remote attacker can exploit this to bypass authentication and execute\narbitrary commands. \n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.", "edition": 6, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-03T00:00:00", "title": "SonicWall Secure Mobile Access Remote Code Execution (SNWLID-2021-0001)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2021-20016"], "modified": "2021-02-03T00:00:00", "cpe": ["cpe:/o:sonicwall:sma_100_firmware"], "id": "SONICWALL_SMA_SNWLID-2021-0001.NASL", "href": "https://www.tenable.com/plugins/nessus/146091", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146091);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/09\");\n\n script_cve_id(\"CVE-2021-20016\");\n script_xref(name:\"IAVA\", value:\"2021-A-0065\");\n\n script_name(english:\"SonicWall Secure Mobile Access Remote Code Execution (SNWLID-2021-0001)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the remote SonicWall Secure Mobile Access is affected by a remote code\nexecution vulnerability. An unauthenticated, remote attacker can exploit this to bypass authentication and execute\narbitrary commands. \n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0001\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5956a722\");\n # https://www.sonicwall.com/support/product-notification/urgent-patch-available-for-sma-100-series-10-x-firmware-zero-day-vulnerability-updated-feb-3-2-p-m-cst/210122173415410/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?421bba7b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 10.2.0.5-29sv or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20016\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/01/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:sonicwall:sma_100_firmware\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"sonicwall_sma_web_detect.nbin\");\n script_require_keys(\"installed_sw/SonicWall Secure Mobile Access\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\napp_name = 'SonicWall Secure Mobile Access';\nport = get_http_port(default:443,embedded:TRUE);\napp = vcf::get_app_info(app:app_name, webapp:TRUE, port:port);\n\nif (app['Model'] !~ \"SMA (200|210|400|410|500v)\")\n audit(AUDIT_WEB_APP_NOT_AFFECTED, app_name, port);\n\nconstraints =\n[\n {'min_version' : '10.0', 'fixed_version' : '10.2.0.5.29', 'fixed_display':'Upgrade to version 10.2.0.5-29sv or later.'}\n];\n\nvcf::check_version_and_report(app_info:app, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}