Information security specialists reported the detection of two severe vulnerabilities affections SonicWall SMA 100. According to the report, successful exploitation of these flaws would allow threat actors collecting multiple user details.
Below are brief descriptions of the reported flaws, as well as their tracking keys and scores according to the Common Vulnerability Scoring System (CVSS).
CVE-2021-20049: The affected product’s password change API is vulnerable to different responses sent for exiting and non-existing users. Remote threat actors could exploit the flaw to enumerate usernames in the compromised system.
This is a low severity vulnerability and received a CVSS score of 3.2/10.
CVE-2021-20050: The improper access restrictions to multiple management APIs would allow remote non-authenticated hackers to obtain configuration meta-data.
This is a medium severity vulnerability and received a CVSS score of 4.6/10.
According to the report, these flaws reside in the following SonicWall SMA 100 versions: 10.2.0.2-20sv, 10.2.0.3-24sv, 10.2.0.5-d-29sv, 10.2.0.6-31sv, 10.2.0.7-34sv, 10.2.0.8-37sv, 10.2.1.0-17sv, 10.2.1.1-19sv & 10.2.1.2-24sv.
Reported vulnerabilities can be exploited by remote non-authenticated attackers via the Internet, but information security specialists have detected no active exploitation attempts. Still, experts recommend applying the official patches to prevent any exploitation risk.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
The post Two severe vulnerabilities in SonicWall SMA 100: Patch ASAP appeared first on Information Security Newspaper | Hacking News.