A security researcher for Rapid7 on Tuesday reported five vulnerabilities around SonicWall’s Secure Mobile Access (SMA) 100 series of devices.
In a Jan. 11 blog post, Jake Baines, lead security researcher at Rapid7, added that the most serious of the five issues — CVE-2021-20038 — can lead to a remote code execution (RCE) on affected devices.
Baines said Rapid7 reported the issues to SonicWall, which released fixes to customers and channel partners last month on Dec. 7. Rapid7 recommends that companies deploying SonicWall SMA 100 series devices should apply the updates as soon as possible.
Organizations will need automated methods to quickly find and patch vulnerable devices, especially since this line of routers is intended for broad deployment — at the edge, in the cloud, or a traditional datacenter, said Bud Broomhead, CEO at Viakoo. Broomhead said this makes reaching these devices difficult, and that’s why organizations need automation to ensure that regardless of where they are deployed, they can have vulnerabilities remediated quickly through firmware patching.
“In addition to the need to patch firmware quickly, a key lesson from this set of vulnerabilities is to focus on passwords,” Broomhead said. “The most critical vulnerability has a severity of 9.8/10, one of the highest, because super-user access to root can be granted by using the password ‘password.’ Ensuring that default or easily guessed passwords are not being used at any time, along with regular password rotations, can and should be accomplished best through automation.”
Joni Moore, director of security solutions at Lookout, added that attackers jump on the opportunity to discover zero-day vulnerabilities that they can exploit freely to gain control over the device and access sensitive data.
“Even as smaller patches and updates are released between major OS updates, it’s on the end user to actually install them,” Moore said. “Missing an update, even a minor one, can make a device more prone to compromise —putting data, user credentials, and services at risk. Regardless of what type of device, if a patch or update is released, it’s imperative to take a well-earned break and update. It's the safest thing to do and can protect both your personal and work data from compromise.”