SonicWall Zero-Day Vulnerabilities

UPDATE: On January 29th, 2021, SonicWall confirmed that a threat actor(s) is targeting SMA 100 series devices and that SonicWall customers have identified attacks employing stolen credentials.

THE THREAT:

The network security appliances company, SonicWall, has publicly acknowledged it was targeted in an attack involving multiple zero-day vulnerabilities. In this attack, threat actors exploited previously unknown vulnerabilities in the SonicWall Secure Mobile Access product. It is currently unclear whether SonicWall customers were affected by the attack, or whether these vulnerabilities were exploited on a wider scale.

Organizations employing the vulnerable products are recommended to review their SonicWall configurations and apply the recommendations provided below.

What we’re doing about it

• MVS has a remote plugin to identify vulnerable systems
  • MVS customers seeking assistance with their review or scans, please contact your MVS consultant or the eSentire Security Operations Center (SOC)
• eSentire security teams continue to track this topic for additional details and detection opportunities

What you should do about it

• Review the SonicWall advisory and apply the product specific recommendations
• Only allow access from whitelisted IP addresses
• Enable Multi-Factor Authentication (MFA) for all SonicWall SMA, Firewall, and MySonicWall accounts
• If mitigation actions are not feasible, evaluate business impact of restricting access to affected devices from untrusted networks until the issue is resolved
• Apply security patches once they are made available

Additional information

SonicWall has not attributed the attack to any specific actor at this time but did state that the group is highly sophisticated and exploited multiple zero-day vulnerabilities. The knowledge base article posted by SonicWall will be updated with additional information as it becomes available.

Currently, information related to the vulnerabilities is limited. CVE numbers and vulnerability types are currently not public knowledge.

Known Impacted SonicWall Products (as of January 25th, 2021):

• Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances and the SMA 500v virtual appliance

Products Currently Under Review by SonicWall (as of January 25th, 2021):

• Secure Mobile Access (SMA) 100 Series

References:

[1] https://www.sonicwall.com/support/product-notification/urgent-security-notice-netextender-vpn-client-10-x-sma-100-series-vulnerability-updated-jan-23-2021/210122173415410/