Urgent Security Notice: NetExtender VPN Client 10.X, SMA 100 Series Vulnerability
01/23/2021
DESCRIPTION:
Last Updated: Jan. 22, 2021. 10:15 P.M. CST.
NOTE: We will continue to update this knowledge base (KB) article as more information and mitigation steps are available.
SonicWall provides cybersecurity products, services and solutions designed to help keep organizations safe from increasingly sophisticated cyber threats. As the front line of cyber defense, we have seen a dramatic surge in cyberattacks on governments and businesses, specifically on firms that provide critical infrastructure and security controls to those organizations.
We believe it is extremely important to be transparent with our customers, our partners and the broader cybersecurity community about the ongoing attacks on global business and government.
Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products. The impacted products are:
NetExtender VPN client version 10.x (released in 2020) utilized to connect to SMA 100 series appliances and SonicWall firewalls
Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances and the SMA 500v virtual appliance.
I read through everyone’s comments here and the consensus seems to be that there is no obvious way to disable NetExtender but still allow SSLVPN using MobileConnect on the firewalls. SonicWALL’s link to the SSLVPN document is just how to set it up…
Nor does it say that MFA mitigates the issue.
So any malicious actor with NetExtender 10 could presumably connect to our network without credentials?
We have moved forward with creating a whitelist and gathering everyone’s home IP’s. Thankfully it’s the weekend and fewer people are working.
Friendly reminder for everyone scrambling, you have to hit your sonicwall’s http://x.x.x.x/diag.html page to check the “Enable the ability to remove and fully edit auto-added access rules” so that you can change your SSLVPN WAN>WAN rules to your whitelist IP group
So…if I’m reading into this correctly there’s currently no patch and the only solution to continue using it is to white list IPs? Does Sonicwall not realize how completely impractical this is at scale?!
Also no ETA or anything on when this will be resolved?! The vagueness of this notice is both concerning and pathetic.
I created two access rules for SSL VPN… whitelist for those allowed and deny all for everyone else. Just wondering if that’s enough for older Sonicwall models since the initial email notification is very sparse on details.
There’s no way I can mitigate this attack. I’ll have to wait for a firmware update. My VPN users have to use NetExtender to perform critical business functions. There’s no way around that.
Sonicwall’s update mentions that NetExtender, Sonicwall Firewalls, SMA 1000 series are not affected by this. They’re still investigating the SMA 100 series.
Agreed. It’s rather frustrating to get such a notice on late on a Friday (or Saturday globally), with little details. And nothing at all in the almost 11 hours since this notice.
“Recently, SonicWall identified a coordinated attack on its internal systems by highly sophisticated threat actors exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products.”
This statement is ambiguous on purpose. You should assume the worst.
