SonicWall confirmed its Secure Mobile Access 100 tool has a critical zero-day flaw a day after researchers said the vulnerability was being exploited in the wild.
“We’ve identified and demonstrated exploitability of a possible candidate for the vulnerability described and sent details to SonicWall,” Manchester, England-based NCC Group tweeted from its technical account at 7:07 a.m. USET Sunday. “We‘ve also seen indication of indiscriminate use of an exploit in the wild – check logs.”
Then at 4 p.m. USET Monday, Milpitas, Calif.-based platform security vendor SonicWall confirmed the zero-day vulnerability identified by the NCC Group and said a few thousand devices are affected. The flaw impacts both physical and virtual SMA 100 version 10.x devices such as the SMA 200, SMA 210, SMA 400, SMA 410 and SMA 500v, and SonicWall expects to have a patch by the end of the day Tuesday.
“SonicWall believes it is extremely important to be transparent with our customers, our partners and the broader cybersecurity community and we are working around the clock to deliver a patch that will address the problem,” the company said in a Monday afternoon update to its blog.
The NCC Group alerted the SonicWall Product Security Incident Response Team Sunday to the potential flaw in the SMA 100 series, and SonicWall said its engineering team subsequently confirmed their submission as a critical zero-day vulnerability. Customers that must use SMA 100 series products prior to the release of the patch are urged to enable multi-factor authentication and reset user passwords.
Alternatively, SonicWall said SMA 100 10.x customers can: block all access to the SMA 100 on the firewall if the device is behind a firewall; shut down the SMA 100 series device until a patch is available; or load firmware version 9.x after a factory default settings reboot. The compromised SMB-oriented SMA 100 series is used to provide employees and users with remote access to internal resources.
NCC Group researchers declined to provide indicators of what an SMA 100 exploit would look like in the customer’s logs since that would tip off others looking to do harm. However, researchers were able to share on Twitter Sunday morning that the SonicWall exploit would result in source IPs hitting unexpected management interfaces.
NCC Group Principal Security Consultant Rich Warren recommended on Twitter midday Sunday that organizations restrict source IPs that are allowed to communicate with the management interfaces. Warren said the restrictions wouldn‘t prevent the SonicWall vulnerability from being exploited but would limit what the hackers are able to accomplish post-exploitation.
Warren and NCC Group Group CTO Ollie Whitehouse were credited by SonicWall for discovering the vulnerability. Whitehouse said on Twitter Sunday morning that the NCC Group has seen one threat actor indiscriminately exploiting the SonicWall flaw in the wild.
“Team work is dream work,” Whitehouse tweeted at 7:12 a.m. USET Sunday. “It was nice to use @GHIDRA_RE [a software reverse engineering tool suite] and collaborate with @buffaloverflow [Rich Warren] who drove it home.”
SonicWall first disclosed Jan. 22 that highly sophisticated threat actors attacked its internal systems by exploiting a probable zero-day flaw on the company’s secure remote access products. The company initially said its NetExtender VPN client tool was also exploited in the attack, but updated its guidance late Jan. 23 to indicate NetExtender doesn’t have a zero-day vulnerability after all.