NCC Group recently reported that an active zero-day SonicWall SMA 100 zero-day vulnerability is being exploited in the wild. Sonicwall commented that it affects the SMA 100 series (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v) line of remote access appliances. However, both companies did not provide any further information to mitigate the risk of unintentionally disclosing attack vectors. SonicWall is yet to release a fix as of yet for its affected product, which is expected by Tuesday’s end. The company has tracked this vulnerability as SNWLID-2021-0001.
Last week SonicWall reported a coordinated attack on its internal systems by highly sophisticated threat actors. According to reports, only SMA 100 Series is affected, and SonicWall Firewalls, NetExtender VPN Client, and SMA 1000 Series remain unaffected, and customers need not take any actions. The company stated that customers may continue NetExtender for remote access with the SMA 100 series.
Physical and virtual SMA 100 10.x devices (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v).
SonicWall has advised that multi-factor authentication (MFA) must be enabled on all SonicWall SMA, Firewall & MySonicWall Accounts. SonicWall released the following note:
While we work to develop, test and release the patch, customers have the following options:
- If you must continue operation of the SMA 100 Series appliance until a patch is available
- Enable MFA. This is a *CRITICAL* step until the patch is available.
- Reset user passwords for accounts that utilized the SMA 100 series with 10.X firmware
- If the SMA 100 series (10.x) is behind a firewall, block all access to the SMA 100 on the firewall;
- Shut down the SMA 100 series device (10.x) until a patch is available; or
- Load firmware version 9.x after a factory default settings reboot. *Please back up your 10.x settings*
- Important Note: Direct downgrade of Firmware 10.x to 9.x with settings intact is not supported. You must first reboot the device with factory defaults and then either load a backed up 9.x configuration or reconfigure the SMA 100 from scratch.
- Ensure that you follow multifactor authentication (MFA) best practice security guidance if you choose to install 9.x.
SonicWall firewalls and SMA 1000 series appliances, as well as all respective VPN clients, are unaffected and remain safe to use.
SanerNow software deployment capability can be used to install executables/scripts.