Actively exploited SonicWall zero-day affects SMA 100 series appliances
SonicWall has confirmed that the actively exploited zero-day vulnerability spotted by the NCC Group on Sunday affects its Secure Mobile Access (SMA) 100 series appliances.
They firm did not outright state it, but it’s likely the same one “highly sophisticated threat actors” used to mount an attack on its internal systems.
The search for the exploited SonicWall zero-day
Since January 22, when SonicWall first shared the fact that they’ve been successfully targeted, the company has been working on determining which of its cybersecurity products had zero-day vulnerabilities that may have been exploited by the attackers.
As the days passed, they ruled out several offerings, and zeroed in on the SMA 100 series as the probable vulnerable product.
On Friday (January 29), they shared that they received and analyzed several reports from their customers of potentially compromised SMA 100 series devices, but that they have only observed the use of previously stolen credentials to log into the SMA devices.
“We’re also aware of social media posts that shared either supposed proof of concept (PoC) exploit code utilizing the Shellshock exploit, or screenshots of allegedly compromised devices,” the company said.
“We have confirmed that the Shellshock attack has been mitigated by patches that we released in 2015. We have also tested the shared PoC code and have so far concluded that it is not effective against firmware released after the 2015 patch.”
On Sunday, January 31, the NCC Group flagged a potential zero-day candidate:
Per the @SonicWall advisory – https://t.co/teeOvpwFMD – we've identified and demonstrated exploitability of a possible candidate for the vulnerability described and sent details to SonicWall – we've also seen indication of indiscriminate use of an exploit in the wild – check logs
— NCC Group Research & Technology (@NCCGroupInfosec) January 31, 2021
Mitigation and remediation
On Monday (February 1), SonicWall confirmed that the vulnerability affects SMA 100 series (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v) physical and virtual appliances running firmware v10.x, and that they expect to make a patch available by the end of Tuesday (February 2).
In the meantime, they advised customers to enable MFA on SMA 100 series appliances if they must continue to use them, and reset user passwords for accounts that utilized the SMA 100 series with 10.X firmware.
Customers could also block all access to the SMA 100 on the firewall (if the device is behind one), load firmware version 9.x after a factory default settings reboot (and then enable MFA), or shut down the SMA 100 series device (10.x) until a patch is available.
Neither the NCC Group or SonicWall offered more details about the vulnerability, but the former advised companies to check logs for “source IPs hitting management interfaces you would not expect.”
UPDATE (February 3, 2021, 14:00 a.m. PT):
SonicWall has released SMA 100 series firmware 10.2.0.5-29sv update to patch the vulnerabilities reported by the NCC Group (including an exploit to gain admin credential access and a subsequent remote-code execution attack).
Links to the updates and additional mitigation advice are available here.