Zero Day Attack of SonicWall Firewalls
SonicWall Firewall Event Summary
Sonicwall, this weekend disclosed an Zero Day Attack that exploited a flaw on the company’s remote access products. The attack compromised SonicWalls’ NetExtender VPN client and SMB-oriented Secure Mobile Access 100 Series product, which are used to provide employees and users with remote access to internal resources.
Sonicwall is asking that partners and customers who use the SMA 100 series to use a firewall to allow only SSL-VPN connections to the SMA appliance from known/whitelisted IP’s or to configure the whitelist access on the SMA directly.
SonicWall Attack Details
Sonicwall disclosed on Friday evening an attack by “highly sophisticated threat actors” targeting previously unknown vulnerabilities in order to gain access to several Sonicwall remote accesss products.
According to SonicWall, the products affected are as follows:
- Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances and the SMA 500v virtual appliance
Please note that it has been determined that Sonicwall Firewalls, SMA 1000 series devices, and SonicWave Access points are devices that are not affected by this vulnerability. Please note that there has been conflicting news as to whether the that SonicWall NetExtender VPN Client was potentially exploited or not. Initial reports mentioned that it was vulnerable and other reports claim that the NetExtender VPN Zero Day expoit has since been ruled out. We are monitoring for an official statement by the vendor to clarify their position on this issue.
Sonicwall recommends that multi-factor authentication be enabled on all SonicWall SMA, firewall and MySonicWall accounts.
We advise SMA 100 series administrators to create specific access rules or disable Virtual Office and HTTPS administrative access from the Internet, while we continue to investigate the vulnerability. Use a firewall to only allow SSL-VPN connections to the SMA appliance from known/whitelisted IPs or configure whitelist access on the SMA directly itself. If SOD does not manage your firewalls, please reference this document for instructions on how to proceed with these instructions.
As information is made available, the Security on Demand Threat Recon Unit will continue to monitor these events and will be focusing on examining customer environments in which the affected Sonicwall products are in use. Please note that this information is quickly evolving and may change as further information about the attack is revealed. The Threat Recon Unit will continue to monitor this activity and will provide any critical updates as more information is provided. Please contact us if you have any questions.