SonicWall Confirms Zero-Day Flaw Affects Certain ProductsResearchers Spot Exploits in the Wild; Company Developing Patch
Editor's note: SonicWall on Wednesday released updated firmware to fix the vulnerabilities detailed below. See story update, below.
SonicWall confirmed Monday that a zero-day vulnerability is affecting its Secure Mobile Access, or SMA, gateway product line, and the company is developing a patch to address the issue.
The latest update from SonicWall, which first alerted customers to a possible "coordinated attack" on its internal network Jan. 22, comes after researchers at the NCC Group warned Sunday that they had found exploits for this flaw circulating in the wild.
Per the @SonicWall advisory - https://t.co/teeOvpwFMD - we've identified and demonstrated exploitability of a possible candidate for the vulnerability described and sent details to SonicWall - we've also seen indication of indiscriminate use of an exploit in the wild - check logs— NCC Group Research & Technology (@NCCGroupInfosec) January 31, 2021
An NCC spokesperson tells Information Security Media Group: "Our team has observed signs of an attempted exploitation of a vulnerability that affects the SonicWall SMA 100 series devices. We are working closely with SonicWall to investigate this in more depth."
On Monday, SonicWall posted an update to customers that it had confirmed the findings of the NCC report and that the company's engineers were working on an patch that it planned to push out to customers Tuesday.
"SonicWall believes it is extremely important to be transparent with our customers, our partners and the broader cybersecurity community, and we are working around the clock to deliver a patch that will address the problem," the company notes.
SonicWall says it’s confirmed that the vulnerability is limited to its gateway products running the company's SMA 100 firmware 10.x code, according to the update. This includes SonicWall's SMA 200, SMA 210, SMA 400 and SMA 410 physical appliances as well as the SMA 500v virtual appliance.
The company says these appliances are used to provide users at small businesses as well as large enterprises with remote access to internal resources.
SonicWall says that the vulnerability is affecting a "few thousand" of the company's gateway products.
The company is recommending temporary measures that its affected customers can take to safeguard their devices ahead of patching. These include:
- Deploying two-factor authentication and resetting passwords on the affected systems;
- Blocking all access to the affected systems on the firewall;
- Shutting down the affected systems until the patch is available;
- Rebooting the system with default settings.
Lack of Visibility
Hank Schless, senior manager for security solutions at security firm Lookout, says zero-day attacks often happen because most organizations' IT and security staff do not have adequate visibility across all endpoints.
"This includes out-of-date apps that could have exploitable vulnerabilities across desktop and mobile. IT and security teams need to prioritize security for all endpoints, from tablets and smartphones to desktops and laptops, when securing their organization’s infrastructure," Schless says.
Schless also recommends that organizations ensure they have the necessary visibility on software components, such as open source encryption libraries and advertising software developer kits, that could be exploited to target mobile users.
"You should operate with the assumption that attackers are already in your environment, using credentials stolen from phishing attacks across phones, tablets and laptops," he says.
Other security vendors have also warned about issues affecting their products or internal networks.
In January, researchers warned that attackers are scanning for vulnerabilities on about 100,000 affected broadband products from Chinese manufacturer Zyxel, including VPN gateways, access point controllers and firewalls (see: Researchers Warn Attackers Are Scanning for Zyxel Products).
Over the past two months, several security vendors, including FireEye, Malwarebytes and Mimecast, have acknowledged that their infrastructure and networks have been affected by the hackers involved in the SolarWinds supply chain attack (see: SolarWinds Hackers Cast a Wide Net).
Update: Patched Firmware Released
Update (Feb. 4, 2021): SonicWall has released "a critical firmware update to patch a zero-day vulnerability on SMA 100 series 10.x code," as well as other security fixes. SonicWall recommends that all customers with SMA 100 series devices running 10.x code "immediately apply the patch."
Affected SMA 100 series devices include multiple physical appliances - SMA 200, SMA 210, SMA 400, SMA 410 - as well as virtual appliances, which are the SMA 500v for Azure, Amazon Web Services, ESXi and HyperV.