14
Security Advisory
source link: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0017
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Security Advisory
Security Advisory
Vulnerability List
/Security Advisory
/Vulnerability List
Improper Neutralization of Special Elements used in an SQL Command leading to SQL Injection vulnerability Impacting End-Of-Life SRA Appliances
Overview
Advisory ID SNWLID-2021-0017 First Published 2021-07-13 Last Updated 2021-08-04 Workaround false Status Applicable CVE CVE-2021-20028 CWE CWE-89 CVSS v3 9.8 CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Direct Link
Summary
SonicWall is aware of improper neutralization of a SQL Command leading to SQL Injection vulnerability, reported by CrowdStrike, impacting end-of-life Secure Remote Access (SRA) products, specifically the SRA appliances running all 8.x firmware or an old version of firmware 9.x (9.0.0.9-26sv or earlier).
In February 2021, SonicWall released SMA firmware 10.2.0.7 and 9.0.0.10 to fix a zero-day vulnerability, along with additional comprehensive code-strengthening. This strengthening proactively prevented this newly reported vulnerability in 9.0.0.10.
- Organizations that already upgraded to the 9.0.0.10 firmware are already protected against this newly reported issue and don’t need to take any action.
- Organizations with any 10.x version is not subject to this vulnerability as the vulnerable feature was deprecated in the 10.x release.
- Organizations running any firmware versions of 8.x or older than 9.0.0.10 or 10.2.0.7 should, per our earlier instructions, upgrade immediately. These older versions may potentially be exploited if not patched immediately.
- SMA 1000 Series products are not affected by this vulnerability.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK