Stephen Finn - stock.adobe.com

SonicWall confirms zero-day vulnerability on SMA 100 series

After testing NCC Group's findings, SonicWall 'confirmed their submission as a critical zero-day in the SMA 100 series 10.x code, and are tracking it as SNWLID-2021-0001.'

After a SonicWall security advisory referred to "probable" zero-days in several products nearly two weeks ago, the vendor has confirmed at least one zero-day vulnerability in its SMA 100 series.

The vulnerability was confirmed in an updated security notice on the security vendor's website Monday afternoon. The initial Jan. 22 notice disclosed that SonicWall had been breached by "highly sophisticated threat actors" using suspected -- but not confirmed -- zero-days.

The updated advisory explained that the vulnerability impacts the company's Secure Mobile Access (SMA) 100 series 10.x code (physical and virtual devices, including SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v) and does not impact previous versions of the SMB-focused remote access product. Moreover, "SonicWall firewalls and SMA 1000 series appliances, as well as all respective VPN clients, are unaffected and remain safe to use."

SonicWall is working on a patch, which is scheduled to be available by end of Tuesday.

UPDATE 2/3: SonicWall released the critical firmware update for the zero-day vulnerability on SMA 100 series 10.x code. The vendor urged customers to apply the patch, which "contains additional code to strengthen the device," for all physical and virtual appliances immediately.

Regarding mitigations, SonicWall provided multiple options while the patch is in development. If a customer needs to continue using their device, the company recommends enabling MFA and resetting user passwords on accounts that used 10.x firmware. Otherwise, SonicWall recommends either blocking all firewall access to the SMA 100, shutting down the device until a patch is available, or factory resetting and loading 9.x firmware after backing up 10.x settings.

According to the notice, the zero-day was confirmed after the NCC Group, a fellow security vendor, informed SonicWall. In an early morning tweet on Jan. 31, NCC Group referenced a "possible candidate" for a zero-day vulnerability.

"We've identified and demonstrated exploitability of a possible candidate for the vulnerability described and sent details to SonicWall - we've also seen indication of indiscriminate use of an exploit in the wild - check logs," the tweet read.

The SonicWall engineering team then "confirmed their submission as a critical zero-day in the SMA 100 series 10.x code, and are tracking it as SNWLID-2021-0001."

NCC Group principal security consultant Rich Warren provided additional context in two tweet replies on Jan. 31. In one tweet discussing the process of finding the vulnerability, Warren wrote, "It is usually the case that we hear there is an interesting bug, then try to find the details through honeypot/RE. In this case, the actor hit the HP before we'd turned on pcaps, so only had the request path to go on."

In another tweet, Warren was asked by Nextron Systems CTO Florian Roth, "Would it be a good recommendation to restrict source IPs that are allowed to communicate with the management interfaces?" Warren said, "Yes. It wouldn't prevent the vulnerability being exploited but would limit post-exploitation. In addition to MFA as SonicWall have recommended."

Beyond the references to the nature of the exploitation and an actor hitting the honey pot, little information is available regarding the threat actor or actors that initially breached SonicWall.

The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert Tuesday regarding the SMA 100 series vulnerability, advising administrators and users to "implement multifactor authentication on all virtual private network connections." CISA also said reports of additional SonicWall zero-days have not been confirmation and are still under investigation.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Threats and vulnerabilities