SonicWall Breach Stems from ‘Probable’ Zero-Days

zero day

The security vendor is investigating potential zero-day vulnerabilities in its Secure Mobile Access (SMA) 100 series.


SonicWall said a zero-day in its SMA 100 series 10.x code was targeted by “highly-sophisticated” attackers.

The security company initially said it is currently investigating its Secure Mobile Access (SMA) 100 series hardware for potential vulnerabilities linked to a reported cyberattack. SMA 100 is a gateway for small- and medium-sized businesses that lets authorized users access resources remotely. SMA 100 also gives system administrators visibility into remote devices that are connecting to the corporate network – and grants endpoints access based on corporate policies.

“On Sunday, January 31, 2021, the NCC Group alerted the SonicWall Product Security Incident Response Team (PSIRT) about a potential zero-day vulnerability in the SMA 100 series. Our engineering team confirmed their submission as a critical zero-day in the SMA 100 series 10.x code,” said SonicWall in an updated statement.

This vulnerability affects both physical and virtual SMA 100 10.x devices (SMA 200, SMA 210, SMA 400, SMA 410, SMA 500v). A few thousand devices are impacted. SMA 100 firmware prior to 10.x is unaffected by this zero-day vulnerability.

SonicWall said current SMA 100 series customers may continue to use NetExtender for remote access with the SMA 100 series, as it has determined that this use case is not susceptible to exploitation. NetExtender is SonicWall’s VPN client for Windows and Linux, and allows customers to connect to SMA 100 for secure access to their company’s network.

SonicWall said that at this time, it is “critical” that organizations with active SMA 100 series appliances enable two-factor authentication (2FA). More information for doing so can be found here.

“Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products,” according to SonicWall, which first alerted the public of the attack on Friday evening.

Organizations that utilize SMA 100 series products should also consider enabling geo-IP/botnet filtering and creating a policy to block web traffic from countries that don’t need to access their applications; configuring end point control to verify user devices before establishing a connection; and restricting access to the portal by enabling scheduled logins/logoffs, SonicWall recommends.

Not affected by the hack are SonicWall’s lineup of firewall products, the company’s SMA 1000 series, SonicWall SonicWave access points (APs) and the NetExtender VPN client. Initially, in its Friday disclosure SonicWall had identified the NetExtender 10.X VPN client as potentially being targeted by attackers – however, the company said that has now been ruled out.

“[NetExtender] may be used with all SonicWall products,” according to the company. “No action is required from customers or partners.”

Further information about the cyberattack itself is not available at this time; when asked by Threatpost for further comment a SonicWall spokesperson said the only information it will currently divulge is within its security alert. On Monday, SonicWall said on Twitter said that it will provide another update on the attack “within 24 hours” and is “committed to transparency during our ongoing investigations.”

SonicWall said it has recently tracked a dramatic surge in cyberattacks on governments and businesses, specifically on firms that provide critical infrastructure and security controls to those organizations. The recent cyberattack also comes during a surge in remote workforces due to the COVID-19 pandemic. The presence of vulnerabilities in remote access products gives attackers the abilities to tap into the increased number of remote employees.

In October 2020, SonicWall disclosed a critical security bug in its SonicWall VPN portal that can be used to crash the device and prevent users from connecting to corporate resources. It could also open the door to remote code execution (RCE), researchers said. And in 2018, researchers discovered variants of the Mirai and Gafgyt IoT botnets targeting well-known vulnerabilities in SonicWall.

This article was updated on Jan. 26 at 12pm ET with further guidance from SonicWall for system administrators; and then again on Feb. 2 with confirmation of the product affected by a zero-day. 

Suggested articles