Dealer Threat Advisory 02-21: SonicWall NetExtender VPN Client and SMA 100 Zero-Day

*Update 1/25: From SonicWall, “While we previously communicated NetExtender 10.X as potentially having a zero-day, that has now been ruled out. It may be used with all SonicWall products. No action is required from customers or partners. Current SMA 100 Series customers may continue to use NetExtender for remote access with the SMA 100 series. We have determined that this use case is not susceptible to exploitation.”

THREAT UPDATE

SonicWall has released a statement regarding their investigation into a “coordinated” attack against their internal network that they believe made use of zero-day vulnerabilities in their remote access point products.

TECHNICAL DETAIL & ADDITIONAL INFORMATION

WHAT IS THE THREAT?

The statement released by SonicWall does not offer a detailed account of the breach or the vulnerability, however they do state that they believe the attackers utilized zero-day vulnerabilities for their NetExtender VPN Client and Secure Mobile Access platforms. These platforms are used by enterprise environments to secure access to their internal networks, so any unreported and unpremeditated vulnerabilities represent a significant security risk for any enterprise that utilizes their products. They also do not reveal any information about the nature of the breach and how their network was affected.

In their coverage of the incident, ZDnet reports that, “Multiple sources in the threat intel community told ZDNet after the publication of this article that SonicWall might have fallen victim to a ransomware attack”. This has not been substantiated by SonicWall at this time.

WHY IS IT NOTEWORTHY?

Many dealerships use SonicWall firewalls that are most likely associated with the dealer management system that they utilize. As such, any of these dealers may have SonicWall devices that are at risk. Additionally, these dealers depend on the SonicWall NetExtender VPN software to connect to these firewalls for day to day access to the dealer management software in use.

It is HIGHLY encouraged that all dealerships make certain that their firewall appliances have the latest software updates, that all of their NetExtender software installations are up to date and that they closely monitor this situation and follow the advice / direction from SonicWall as the situation continues to develop.

WHAT IS THE EXPOSURE OR RISK?

Affected Devices:

• NetExtender VPN client version 10.x (released in 2020) utilized to connect to SMA 100 series appliances and SonicWall firewalls.
• Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances, and the SMA 500v virtual appliance.

According to SonicWall, the SMA 1000 series is NOT susceptible to this vulnerability.

WHAT ARE THE RECOMMENDATIONS?

At the time of writing this advisory, SonicWall has not released any patch fix for the suspected zero-day vulnerability, however, they do recommend enabling MFA across all their devices. They have also provided the following remediation for each affected platform version:

SMA 100 Series: This product remains under investigation for a vulnerability, however we can issue the following guidance on deployment use cases: 

• Current SMA 100 Series customers may continue to use NetExtender for remote access with the SMA 100 series. We have determined that this use case is not susceptible to exploitation.
• We advise SMA 100 series administrators to create specific access rules or disable Virtual Office and HTTPS administrative access from the Internet while we continue to investigate the vulnerability.

REFERENCES:

For more in-depth information about the recommendations, please visit the following links:

• https://www.sonicwall.com/support/product-notification/urgent-security-notice-netextender-vpn-client-10-x-sma-100-series-vulnerability/210122173415410/
• https://www.zdnet.com/google-amp/article/sonicwall-says-it-was-hacked-using-zero-days-in-its-own-products/

If you have any questions, please contact us.