A SonicWall SMA 100 zero-day vulnerability is being actively exploited in the wild, according to a tweet by cybersecurity firm NCC Group.

On January 22nd, SonicWall disclosed that they suffered an attack on their internal systems using a “probable” zero-day vulnerability in specific SonicWall networking devices.

While SonicWall investigates the vulnerability and has not provided many details, they state that it likely affects their SMA 100 series (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v) line of remote access appliances.

As mitigation against the attack, SonicWall states that administrators need to enable multi-factor authentication (MFA) on the devices and recommend setting up IP address restrictions to the management interface.

SonicWall vulnerability activity exploited in the wild

Over the weekend, cybersecurity firm NCC Group tweeted that they have detected an exploit against SonicWall SMA 100 devices being used indiscriminately in the wild.

“Our team has observed signs of an attempted exploitation of a vulnerability that affects the SonicWall SMA 100 series devices. We are working closely with SonicWall to investigate this in more depth,” the NCC Group told BleepingComputer.

It is not clear if this exploit is for the same vulnerability recently disclosed by SonicWall but believes it could be a possible candidate.

https://csirt.cy/wp-content/uploads/2021/02/NCCGroup-300x216.png 300w" alt="" width="570" height="411" class="size-full wp-image-7596 aligncenter" style="box-sizing: border-box; border: 0px; vertical-align: middle; clear: both; display: block; margin: 0px auto; height: auto; max-width: 100%; color: rgb(51, 51, 51); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" loading="lazy" />

While NCC Group does not want to provide details of the exploit to prevent further misuse, they suggest administrators monitor their devices’ access logs for unusual IP addresses trying to access the management interface.

Richard Warren, a principal security consultant at NCC Group, also shared that limiting access to the SonicWall management interface would prevent the threat actors from performing post-exploitation attacks.

“Yes. It wouldn’t prevent the vulnerability being exploited but would limit post-exploitation. In addition to MFA as SonicWall have recommended,” tweeted Warren.

For admins of SonicWall devices, it is recommended that MFA be enabled on devices, and even more importantly, restrict access to the management interface to only specific whitelisted IP addresses.

SonicWall confirms zero-day

In an update to their SMA 100 security advisory, SonicWall confirmed the zero-day vulnerability discovered by NCC Group.

SonicWall states that this vulnerability affects SMA 100 series appliances running 10.x firmware and that a patch will be released by the end of the day tomorrow.

“SonicWall has identified the vulnerable code and is working on a patch to be available by end of day on February 2, 2021. This vulnerability affects both physical and virtual SMA 100 10.x devices (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v).”

While they develop the patch, SonicWall recommends customers perform a downgrade of their devices to use 9.x firmware:

1. If the SMA 100 series (10.x) is behind a firewall, block all access to the SMA 100 on the firewall;
2. Shut down the SMA 100 series device (10.x) until a patch is available; or
3. Load firmware version 9.x after a factory default settings reboot. *Please back up your 10.x settings*
   1. Important Note: Direct downgrade of Firmware 10.x to 9.x with settings intact is not supported.  You must first reboot the device with factory defaults and then either load a backed up 9.x configuration or reconfigure the SMA 100 from scratch.
   2. Ensure that you follow multifactor authentication (MFA) best practice security guidance if you choose to install 9.x.

Downgrading to the 9.x firmware will require a company to restore their configuration from a 9.x backup or set up the devices from scratch.

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.