Improper Neutralization of Special Elements used in an SQL Command leading to SQL Injection vulnerability Impacting End-Of-Life SRA Appliances

<p><span style="font-family: Arial, sans-serif;">SonicWall is aware of i</span><font face="Arial, sans-serif">mproper neutralization of a SQL Command leading to SQL Injection vulnerability, reported by CrowdStrike, impacting end-of-life Secure Remote Access (SRA) products, specifically the SRA appliances running all 8.x firmware or an old version of firmware 9.x (9.0.0.9-26sv or earlier).&nbsp;</font></p><p><font face="Arial, sans-serif">In February 2021, SonicWall released SMA firmware 10.2.0.7 and 9.0.0.10 to fix a zero-day vulnerability, along with additional comprehensive code-strengthening. This strengthening proactively prevented this newly reported vulnerability in 9.0.0.10.</font></p><ul><li><font face="Arial, sans-serif">Organizations that already upgraded to the 9.0.0.10 firmware are already protected against this newly reported issue and don’t need to take any action.</font></li><li><font face="Arial, sans-serif">Organizations with any 10.x version is not subject to this vulnerability as the vulnerable feature was deprecated in the 10.x release.</font></li><li><font face="Arial, sans-serif">Organizations running any firmware versions of 8.x or older than 9.0.0.10 or 10.2.0.7 should, per our earlier instructions, upgrade immediately. These older versions may potentially be exploited if not patched immediately.</font></li><li><font face="Arial, sans-serif">SMA 1000 Series products are not affected by this vulnerability.&nbsp;<br></font></li></ul>
CVE: CVE-2021-20028
Last updated: Aug. 4, 2021, 8:09 p.m.

Original Article

Leave a Reply

Your email address will not be published. Required fields are marked *