Governance & Risk Management , Patch Management

SonicWall Confirms Zero-Day Flaw Affects Certain Products

Researchers Spot Exploits in the Wild; Company Developing Patch
SonicWall Confirms Zero-Day Flaw Affects Certain Products

Editor's note: SonicWall on Wednesday released updated firmware to fix the vulnerabilities detailed below. See story update, below.

SonicWall confirmed Monday that a zero-day vulnerability is affecting its Secure Mobile Access, or SMA, gateway product line, and the company is developing a patch to address the issue.

The latest update from SonicWall, which first alerted customers to a possible "coordinated attack" on its internal network Jan. 22, comes after researchers at the NCC Group warned Sunday that they had found exploits for this flaw circulating in the wild.

An NCC spokesperson tells Information Security Media Group: "Our team has observed signs of an attempted exploitation of a vulnerability that affects the SonicWall SMA 100 series devices. We are working closely with SonicWall to investigate this in more depth."

On Monday, SonicWall posted an update to customers that it had confirmed the findings of the NCC report and that the company's engineers were working on an patch that it planned to push out to customers Tuesday.

"SonicWall believes it is extremely important to be transparent with our customers, our partners and the broader cybersecurity community, and we are working around the clock to deliver a patch that will address the problem," the company notes.

What's Affected?

SonicWall says it’s confirmed that the vulnerability is limited to its gateway products running the company's SMA 100 firmware 10.x code, according to the update. This includes SonicWall's SMA 200, SMA 210, SMA 400 and SMA 410 physical appliances as well as the SMA 500v virtual appliance.

The company says these appliances are used to provide users at small businesses as well as large enterprises with remote access to internal resources.

SonicWall says that the vulnerability is affecting a "few thousand" of the company's gateway products.

The company is recommending temporary measures that its affected customers can take to safeguard their devices ahead of patching. These include:

  • Deploying two-factor authentication and resetting passwords on the affected systems;
  • Blocking all access to the affected systems on the firewall;
  • Shutting down the affected systems until the patch is available;
  • Rebooting the system with default settings.

Lack of Visibility

Hank Schless, senior manager for security solutions at security firm Lookout, says zero-day attacks often happen because most organizations' IT and security staff do not have adequate visibility across all endpoints.

"This includes out-of-date apps that could have exploitable vulnerabilities across desktop and mobile. IT and security teams need to prioritize security for all endpoints, from tablets and smartphones to desktops and laptops, when securing their organization’s infrastructure," Schless says.

Schless also recommends that organizations ensure they have the necessary visibility on software components, such as open source encryption libraries and advertising software developer kits, that could be exploited to target mobile users.

"You should operate with the assumption that attackers are already in your environment, using credentials stolen from phishing attacks across phones, tablets and laptops," he says.

Other Attacks

Other security vendors have also warned about issues affecting their products or internal networks.

In January, researchers warned that attackers are scanning for vulnerabilities on about 100,000 affected broadband products from Chinese manufacturer Zyxel, including VPN gateways, access point controllers and firewalls (see: Researchers Warn Attackers Are Scanning for Zyxel Products).

Over the past two months, several security vendors, including FireEye, Malwarebytes and Mimecast, have acknowledged that their infrastructure and networks have been affected by the hackers involved in the SolarWinds supply chain attack (see: SolarWinds Hackers Cast a Wide Net).

***

Update: Patched Firmware Released

Update (Feb. 4, 2021): SonicWall has released "a critical firmware update to patch a zero-day vulnerability on SMA 100 series 10.x code," as well as other security fixes. SonicWall recommends that all customers with SMA 100 series devices running 10.x code "immediately apply the patch."

Affected SMA 100 series devices include multiple physical appliances - SMA 200, SMA 210, SMA 400, SMA 410 - as well as virtual appliances, which are the SMA 500v for Azure, Amazon Web Services, ESXi and HyperV.


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing fraudtoday.io, you agree to our use of cookies.