SonicWall on Monday confirmed that its Secure Mobile Access (SMA) 100 series appliances are affected by a zero-day vulnerability that has apparently already been exploited in attacks.
SonicWall told SecurityWeek that a few thousand devices are exposed to attacks due to the zero-day vulnerability. The cybersecurity solutions provider says it’s working on developing patches and, in the meantime, it has shared some recommendations on how customers can protect their networks against potential attacks.
The company revealed on January 22 that it had identified a “coordinated attack on its internal systems” that was apparently launched by a highly sophisticated threat group that may have exploited zero-day vulnerabilities in some of the company’s secure remote access products.
SonicWall initially said its NetExtender VPN client and SMA 100 series products may be impacted, but it later determined that the NetExtender VPN client, SonicWall firewalls, SMA 1000 series devices, and SonicWave APs are not affected.
Only SMA 100 series devices remained under investigation, but an update shared on January 29 said the company could still not confirm the existence of a zero-day vulnerability affecting these products.
On Sunday, January 31, however, cybersecurity firm NCC Group reported discovering a possible candidate for the vulnerability, for which the company had seen “indiscriminate” attempts to exploit in the wild.
Following NCC’s report, SonicWall on Monday confirmed the existence of a zero-day flaw affecting SMA 100 series 10.x physical and virtual devices, specifically SMA 200, SMA 210, SMA 400, SMA 410 and SMA 500v. The vendor said firewalls, 1000 series appliances and VPN clients do not appear to be affected, and neither are SMA 100 series devices running a firmware version prior to 10.x. A CVE identifier has yet to be assigned for this vulnerability.
SonicWall hopes to release a patch by the end of the day on February 2. In the meantime, customers can prevent potential attacks by enabling multi-factor authentication and changing passwords for accounts that used affected SMA appliances, by blocking access to the appliances on the firewall, by shutting down impacted appliances, or by downgrading the firmware on the device to version 9.x.
Shortly after SonicWall disclosed the breach, some anonymous individuals claimed the company was hit by ransomware and the attackers had stolen source code and customer data, but none of those claims have been confirmed. At least some of the claims seen by SecurityWeek at the time seemed questionable.