SonicWall NetExtender VPN Client and SMA 100 Zero-Day

Cyber Security Threat Advisory
25th January 2021

*Update 1/25: From SonicWall, “While we previously communicated NetExtender 10.X as potentially having a zero-day, that has now been ruled out. It may be used with all SonicWall products. No action is required from customers or partners. Current SMA 100 Series customers may continue to use NetExtender for remote access with the SMA 100 series. We have determined that this use case is not susceptible to exploitation.”

Threat Update

SonicWall has released a statement regarding their investigation into a “coordinated” attack against their internal network that they believe made use of zero-day vulnerabilities in their remote access point products.

Technical Detail & Additional Information

What Is The Threat?

The statement released by SonicWall does not offer a detailed account of the breach or the vulnerability, however they do state that they believe the attackers utilized zero-day vulnerabilities for their NetExtender VPN Client and Secure Mobile Access platforms. These platforms are used by enterprise environments to secure access to their internal networks, so any unreported and unpremeditated vulnerabilities represent a significant security risk for any enterprise that utilizes their products. They also do not reveal any information about the nature of the breach and how their network was affected.

In their coverage of the incident, ZDnet reports that, “Multiple sources in the threat intel community told ZDNet after the publication of this article that SonicWall might have fallen victim to a ransomware attack”. This has not been substantiated by SonicWall at this time.

What Is The Exposure Or Risk?

Affected Devices:

  • NetExtender VPN client version 10.x (released in 2020) utilized to connect to SMA 100 series appliances and SonicWall firewalls.
  • Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances, and the SMA 500v virtual appliance.

According to SonicWall, the SMA 1000 series is NOT susceptible to this vulnerability.

What Are The Recomendations?

At the time of writing this advisory, SonicWall has not released any patch fix for the suspected zero-day vulnerability, however, they do recommend enabling MFA across all their devices. They have also provided the following remediations for each affected platform version:
SMA 100 Series: This product remains under investigation for a vulnerability, however we can issue the following guidance on deployment use cases: 

  • Current SMA 100 Series customers may continue to use NetExtender for remote access with the SMA 100 series. We have determined that this use case is not susceptible to exploitation.
  • We advise SMA 100 series administrators to create specific access rules or disable Virtual Office and HTTPS administrative access from the Internet while we continue to investigate the vulnerability.

References:

For more in-depth information about the recommendations, please visit the following links:

Advisory Source: https://getskout.com/cybersecurity-threat-advisory-0003-21-sonicwall-netextender-vpn-client-and-sma-100-zero-day/

Advanced Malware Protection with Trusteer Apex

[vimeo vimeo.com/http://vimeo.com/81704312]

We are all hearing more and more about the frequency and evolution of malware. In this video bog we discuss the different kinds of threats your organisation may face and a new solution to stop zero-day exploits and data exfiltration. Trusteer Apex can automatically and accurately determine if an application action is legitimate or malicious. A must see video blog for an overview of a new approach to protect enterprise endpoints.

WEBINAR: A Deep Dive into Advanced Threat Protection with Trusteer Apex

[vimeo vimeo.com/http://vimeo.com/79656809]

View the recording of our latest webinar and you will learn, the main threats targeting enterprise employees today , the protection offered by Trusteer Apex and how it protects against current threats, what is ‘Stateful Application Control’ and how it works, how zero-day threats can be stopped in their tracks, the protection offered by Trusteer Apex and how it protects against current threats and how Trusteer’s Management Application enables management of protected endpoints and provides insight into the organisation’s threat landscape.