SonicWall has confirmed that its Secure Mobile Access 100 tool has one critical zero-day failure a day after researchers said the vulnerability was being exploited in the wild.
“We identified and demonstrated the exploitability of a potential candidate for the vulnerability described and sent details to SonicWall,” said the Manchester, England-based NCC Group tweeted from his technical account at 7:07 a.m. ET Sunday. “We also saw evidence of indiscriminate use of an exploit in the wild – check the logs.”
On Monday at 4 p.m. ET, Milpitas, California-based platform security provider SonicWall confirmed the zero-day vulnerability identified by the NCC Group and said several thousand devices were affected. The error has an effect both physical and virtual SMA 100 version 10.x. like the SMA 200, the SMA 210, the SMA 400, the SMA 410 and the SMA 500v, and SonicWall expects a patch on Tuesday.
“SonicWall believes it is extremely important to be transparent to our customers, our partners and the broader cybersecurity community, and we are working around the clock to deliver a patch that corrects the problem,” the company said in one Monday afternoon update on his blog.
The NCC Group alerted the SonicWall Product Security Incident Response Team on Sunday to the potential bug in the SMA 100 series, and SonicWall announced that the engineering team subsequently confirmed the submission as a critical zero-day vulnerability. Customers who need to use SMA 100 series products before the patch is released are requested to enable multi-factor authentication and reset user passwords.
Alternatively, according to SonicWall, SMA 100 10.x customers can: Block all access to the SMA 100 on the firewall if the device is behind a firewall; Shut down the SMA 100 series device until a patch is available. or load firmware version 9.x after restarting the factory settings. The compromised SMB-oriented SMA 100 series provides employees and users with remote access to internal resources.
NCC Group researchers declined to provide indicators of what an SMA 100 exploit would look like in customer logs as it would alert others who might want to cause harm. However, researchers were able to announce on Twitter on Sunday morning that the SonicWall exploit would result in source IPs encountering unexpected administrative interfaces.
Rich Warren, Principal Security Consultant for the NCC Group, recommended on Sunday lunchtime on Twitter that organizations restrict source IPs that are allowed to communicate with the administrative interfaces. Warren said the restrictions would not prevent the SonicWall vulnerability from being exploited, but rather limit the hackers’ ability to do after the exploitation.
Warren and NCC Group Group CTO Ollie Whitehouse were there credited by SonicWall to identify the vulnerability. Whitehouse said on Twitter on Sunday morning that the NCC Group saw a threat actor indiscriminately exploiting the SonicWall bug in the wild.
“Teamwork is dream work,” said Whitehouse tweeted on Sunday at 7:12 a.m. ET. “It was nice to use @GHIDRA_RE [a software reverse engineering tool suite] and work with @buffaloverflow [Rich Warren] who drove it home. ”
SonicWall first announced on January 22nd that advanced threat actors had attacked their internal systems by exploiting a likely zero-day flaw in the company’s secure remote access products. The company initially stated that its NetExtender VPN client tool was also exploited in the attack, but updated its guidance in late January 23 to indicate that, after all, NetExtender did not have a zero-day vulnerability.