Network security provider SonicWall said on Monday that hackers were exploiting a critical zero-day vulnerability in one of the devices it sells.
The security flaw lies in the Secure Mobile Access 100 series, SonicWall said in an updated advisory on Monday. The vulnerability, which affects the firmware code 10.x of the SMA 100, is not expected to be patched until the end of Tuesday.
Monday’s update came a day after security firm NCC Group said on twitter that he had detected “the indiscriminate use of an exploit in nature”. NCC’s tweet referred to an earlier version of SonicWall’s opinion that its researchers had “identified a coordinated attack on their internal systems by highly sophisticated actors exploiting probable zero-day vulnerabilities in certain access products. remotely. SonicWall Insurance ”.
For him @SonicWall advice – https://t.co/teeOvpwFMD – we have identified and demonstrated the possibility of exploitation of a possible candidate for the described vulnerability and have sent details to SonicWall – we have also seen indications of indiscriminate use of ‘a feat in the wild – check the records
– Research and technology of the NCC group (@NCCGroupInfosec) January 31, 2021
In an email, a spokesperson for the NCC Group wrote: “Our team has observed signs of an attempt to exploit a vulnerability affecting the SonicWall SMA 100 series devices. We are working closely with SonicWall to study this depth.
In Monday’s update, representatives from SonicWall said the company’s engineering team confirmed that the NCC Group filing included a “critical zero day” in the 10.x code of the SMA 100 series. SonicWall follows it as SNWLID -2021-0001. The SMA 100 series is a range of secure remote access devices.
The disclosure makes SonicWall at least the fifth major company to report in recent weeks that it has been the target of sophisticated hackers. Other companies include network management tool vendor SolarWinds, Microsoft, FireEye, and Malwarebytes. CrowdStrike also said he was a target, but said the attack failed.
Neither SonicWall nor NCC Group said the hack involving SonicWall zero-day was linked to SolarWinds’ larger hack campaign. However, based on the timing of the release and some of the details in it, there is widespread speculation that the two are linked.
NCC Group declined to provide further details before zero-day was fixed to prevent the flaw from being further exploited.
Individuals using the SonicWall SMA 100 series should carefully read the company notice and follow the interim instructions to secure the products before a solution is released. The main one of them:
- If you want to continue using the SMA 100 series device until a fix is available
- Activate MFA. This is a * CRITICAL * step until the patch is available.
- Reset user passwords for accounts that used SMA 100 series with 10.X firmware
- If the SMA 100 (10.x) series is behind a firewall, block all access to the SMA 100 on the firewall;
- Power off the SMA 100 (10.x) series device until a fix is available; or
- Please load firmware version 9.x after resetting factory defaults. * Make a backup of your 10.x configuration *
- Important note: Direct downgrade from firmware 10.x to 9.x with the configuration intact is not supported. You must first restart the device with the factory settings and then load a saved 9.x configuration or reconfigure the SMA 100 from scratch.
- Be sure to follow the Multi-Factor Authentication (MFA) Best Practices Security Guide if you choose to install 9.x.
- SonicWall firewalls and SMA 1000 series appliances, as well as any respective VPN clients, are unaffected and remain safe to use.
This message has been updated to correct the description of the SMA 100.