Last Updated: Jan. 25, 2021. 5.30 P.M. CST.
SonicWall believes it is extremely important to be transparent in providing the latest information to our customers, partners and the broader cybersecurity community about the ongoing attacks on global business and government.
As an update to previous communication, SonicWall engineering teams continued their investigation into probable zero-day vulnerabilities and have produced the following update regarding the impacted products:
NOT AFFECTED
- SonicWall Firewalls: All generations of SonicWall firewalls are not affected by the vulnerability impacting the SMA 100. No action is required from customers or partners.
- NetExtender VPN Client: While we previously communicated NetExtender 10.x as potentially having a zero-day, that has now been ruled out. It may be used with all SonicWall products. No action is required from customers or partners.
- SMA 1000 Series: This product line is not affected by this incident. Customers are safe to use SMA 1000 series and their associated clients. No action is required from customers or partners.
- SonicWave Access Points: Not affected. No action is required from customers or partners.
REMAINS UNDER INVESTIGATION
- SMA 100 Series: This product remains under investigation. However, SMA 100 series products may be used safely in common deployment use cases. For details on these use cases and further mitigation steps, please read: https://www.sonicwall.com/support/product-notification/210122173415410.
For additional details, guidance and product usage, customers may reference the KB article, which we will continue to update throughout our investigation.
SonicWall fully understands the challenges previous guidance had in a work-from-home environment, but the communicated steps were measured and purposeful in ensuring the safety and security of our global community of customers and partners.
IMPORTANT: At this time, it is critical that organizations with active SMA 100 Series appliances take the following action:
- Enable two-faction authentication (2FA) on SMA 100 series appliances
- Please refer to the following knowledgebase article: https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-time-based-one-time-password-totp-in-sma-100-series/180818071301745/
In addition to implementing 2FA, SMA 100 series administrators may also consider the following to further secure access to these devices:
- Enable Geo-IP/botnet filtering and create a policy blocking web traffic from countries that do not need to access your applications.
- See page 248 of the SMA 100 Series 10.2 Administration Guide
- Enable and configure End Point Control (EPC) to verify a user’s device before establishing a connection.
- See page 207 of the SMA 100 Series 10.2 Administration Guide
- Restrict access to the portal by enabling Scheduled Logins/Logoffs
- See page 117 of the SMA 100 Series 10.2 Administration Guide
Please refer to the SonicWall issued PSIRT Advisory SNWLID-2021-0001 for updates. As we continue to investigate the incident, we will provide further updates regarding mitigation or possible patches in this KB.
Original Post: Jan. 22, 2021. 10 P.M. CST.
SonicWall provides cybersecurity products, services and solutions that are designed to help keep organizations safe from increasingly sophisticated cyber threats. As the front line of cyber defense, we have seen a dramatic surge in cyberattacks on governments and businesses, specifically on firms that provide critical infrastructure and security controls to those organizations.
We believe it is extremely important to be transparent with our customers, our partners and the broader cybersecurity community about the ongoing attacks on global business and government.
Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products. The impacted products are:
NetExtender VPN client version 10.x (released in 2020) utilized to connect to SMA 100 series appliances and SonicWall firewalls- Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances and the SMA 500v virtual appliance
The NetExtender VPN client and SMB-oriented SMA 100 series are used for providing employees/users with remote access to internal resources.
We are providing mitigation recommendations to our channel partners and customers. For further guidance, please visit: https://www.sonicwall.com/support/product-notification/210122173415410. We will continue to update this knowledge base (KB) article as more information is available.