Network security provider SonicWall said on Monday that hackers are exploiting today’s critical vulnerability in one of the firewalls it sells.
The security flaw lies in the Secure Mobile Access 100 series, SonicWall said in an updated statement on Monday. The vulnerability, which affects the 10.x versions of the SMA 100 firmware, is not expected to receive a fix until late Tuesday.
Monday’s update came a day after security company NCC Group said on Twitter that it had detected “indiscriminate use of an exploit in nature”. The NCC tweet referred to an earlier version of the SonicWall statement that said its researchers “identified a coordinated attack on their internal systems by highly sophisticated threat agents who exploited likely zero-day vulnerabilities in certain secure remote access products. SonicWall ”.
Per @SonicWall notice – https://t.co/teeOvpwFMD – we identified and demonstrated the potential exploitation of a possible candidate for the vulnerability described and sent details to SonicWall – we also saw an indication of the indiscriminate use of an exploitation on the loose – check History
– NCC Group Research & Technology (@NCCGroupInfosec) January 31, 2021
In an e-mail, a spokeswoman for the NCC Group wrote: “Our team observed signs of an attempt to exploit a vulnerability that affects SonicWall SMA 100 series devices. We are working closely with SonicWall to investigate this with more depth ”.
In Monday’s update, SonicWall representatives said the company’s engineering team confirmed that the NCC Group shipment included a “critical zero day” in the SMA 100 series 10.x code. SonicWall is tracking as SNWLID-2021-0001.
The disclosure makes SonicWall at least the fifth major company to report in recent weeks that it has been the target of sophisticated hackers. Other companies include the provider of network management tools SolarWinds, Microsoft, FireEye and Malwarebytes. CrowdStrike also reported to be a target, but said the attack was unsuccessful.
Neither SonicWall nor the NCC Group said that the SonicWall zeroday hack was linked to the SolarWinds hack campaign. Based on the timing of the release and some of the details in it, however, there is widespread speculation that the two are connected.
The NCC Group declined to provide further details before the zero day is corrected to prevent the flaw from being exploited further.
People using SonicWall’s SMA 100 series should read the company’s notices carefully and follow the interim instructions to protect the products before a patch is released. Main among them:
- Whether you should continue to operate the SMA 100 Series device until a patch is available
- Enable MFA. This is a * CRITICAL * step until the patch is available.
- Reset user passwords for accounts that used the SMA 100 series with 10.X firmware
- If the SMA 100 series (10.x) is behind a firewall, block all access to the SMA 100 on the firewall;
- Turn off the SMA 100 series device (10.x) until a patch is available; or
- Load firmware version 9.x after a reset to the factory default settings. * Back up your 10.x settings *
- Important note: Direct downgrade from Firmware 10.x to 9.x with the settings intact is not supported. You must first reset the device to factory defaults and then load a backup 9.x configuration or reconfigure the SMA 100 from scratch.
- Be sure to follow the security guidelines for best practice multifactor authentication (MFA) if you choose to install 9.x.
SonicWall firewalls and SMA 1000 series devices, as well as all respective VPN clients, are unaffected and remain safe for use.