Coordinated attack against the internal systems of SonicWall blew the lid off a zero-day vulnerability in its secure remote access product.
SonicWall is widely known as a pure play manufacturer of cyber security hardware such as firewall devices, VPN gateways and endpoint security solutions. Last Friday, its internal network was breached by sophisticated threat actors using a zero-day vulnerability in its SMB-oriented remote access product called Secure Mobile Access (SMA).
As of now, only the SMA 100 Series from the vendor remains vulnerable. Currently, the vulnerability remains unlabeled and without any CVE ID associated. SonicWall has put up a knowledge base to provides further updates on the investigation into the zero day flaw as well the guidelines to mitigate the vulnerability until fixes are made available.
Coupled with SonicWall’s NetExtender VPN client version 10.x, the SMB-oriented SMA 100 gateway appliances are used for providing users with remote access to internal network resources. Initially, NetExtender 10.X was also referenced to be vulnerable, but SonicWall clarified in its updated security notice that NetExtender 10.X is not susceptible to this vulnerability and can be safely used with all SonicWall products.
SMA 100 Series (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v) are impacted by this zero-day. For more details, refer to the security notice. Any SonicWall user who has deployed the affected products in their network is vulnerable.
SonicWall later cleared up that the following products remain unaffected by the vulnerability impacting SMA 100 series. Therefore, no action is required from customers or partners regarding these products:
As per the SonicWall's mitigation guideline, SMA 100 series administrators are advised to create specific access rules or disable Virtual Office and HTTPS administrative access from the Internet, until security patches are released by the vendor.
Vulnerability Manager Plus, ManagEngine threat and vulnerability management software, helps you assess vulnerabilities, remediate misconfigurations, deploy patches and accomplish much more from one central console. Using Vulnerability Manager Plus, you can instantly detect machines in which "NetExtender 10.x" is installed, which will then get displayed under a dedicated Zero day vulnerability section in the web console. Note that the NetExtender 10.x per se isn't vulnerable. NetExtender 10.x installations are detected only to bring to your attention that there might be instances of SMA 100 appliances deployed in your network. Users will have to manually verify whether they're running SMA 100 appliances in their network and follow the mitigation steps recommended by SonicWall.
Within just the last couple of months, SonicWall is fourth on the lines of security vendors to fall victim to a security breach after FireEye, Microsoft, and Malwarebytes. With Vulnerability Manager Plus, you can constantly monitor your network for vulnerabilities, prioritize remediation to the imminently exploitable vulnerabilities and remediate them with the built-in patching functionality, thereby closing the vulnerability management loop altogether.
It's better to be safe than sorry! Start defending your network with a free, 30-day trial of Vulnerability Manager Plus now and save yourself from the densely populated club of cyber casualties.