SonicWall News

Imminent Risk of Ransomware Attacks Exploiting Flaw in SonicWall SRA/SMA 100 Series VPN Appliances

SonicWall has issued an urgent security notice warning users of its Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running end-of-life firmware about an imminent ransomware campaign using stolen credentials.

The campaign exploits a known vulnerability in 8.x firmware on the devices. SonicWall patched the vulnerability in later versions of the firmware. All users of these devices that are still running the vulnerable firmware version have been advised to update to version 9.x or 10.x of the immediately.

SonicWall became aware of threat actors targeting the vulnerability in SMA 100 series and SRA products through collaboration with trusted third parties. “The affected end-of-life devices with 8.x firmware are past temporary mitigations. Continued use of this firmware or end-of-life devices is an active security risk,” explained SonicWall.

Customers using end-of-life SMA or SRA devices running the vulnerable 8.x firmware should apply the update immediately or disconnect their appliances and reset passwords. EOL devices are:

  • SRA 4600/1600 (EOL 2019)
  • SRA 4200/1200 (EOL 2016)
  • SSL-VPN 200/2000/400 (EOL 2013/2014)

SMA 400/200 is still supported in Limited Retirement Mode. Users should update to 10.2.0.7-34 or 9.0.0.10 immediately, reset passwords, and enable MFA.

All known vulnerabilities have been corrected in the latest versions of 9.x or 10.x firmware and users of SMA 1000 series products are not affected. Users of these products should ensure they are running the most current firmware versions, should implement multi-factor authentication, and ensure that any future firmware updates are applied as soon as possible.

SMA 210/410/500v has not reached end of life and is actively supported but may still be running firmware versions with vulnerabilities discovered in 2021. Users running firmware 9.x should immediately update to 9.0.0.10-28sv or later and users of firmware 10.x should immediately update to 10.2.0.7-34sv or later.

Customers using end-of-life devices running the vulnerable version 8.x firmware who are not able to upgrade to 9.x or 10.x are being offered a complimentary virtual SMA 500v until October 31, 2021, which is still being supported.

The post Imminent Risk of Ransomware Attacks Exploiting Flaw in SonicWall SRA/SMA 100 Series VPN Appliances appeared first on HIPAA Journal.

Three Zero-Day Vulnerabilities in SonicWall Email Security are Being Actively Exploited

Three zero-day vulnerabilities have been identified in SonicWall Email Security products that are being actively exploited in the wild by at least one threat actor. The vulnerabilities can be chained to gain administrative access to enterprise networks and achieve code execution.

SonicWall Email Security solutions are deployed as a physical appliance, virtual appliance, software installation, or as a hosted SaaS solution and provide protection from phishing, spear phishing, malware, ransomware, and BEC attacks. The solutions do not need to be Internet facing, but hundreds are exposed to the Internet and are vulnerable to attack.

In one instance, a threat actor with intimate knowledge of the SonicWall application exploited the vulnerabilities to gain administrative access to the application and installed a backdoor that provided persistent access. The threat actor was able to access files and emails, harvest credentials from memory, and then used those credentials to move laterally within the victim’s network.

The three vulnerabilities were identified by the Mandiant Managed Defense team. SonicWall has now developed, tested, and released patches to correct the flaws. The SonicWall Hosted Email Security product was automatically updated on April 21, 2021 so customers using the hosted email security solution do not need to take any action, but users of other vulnerable SonicWall Email Security products will need to apply the patches to prevent exploitation.

SonicWall said “It is imperative that organizations using SonicWall Email Security hardware appliances, virtual appliances or software installation on Microsoft Windows Server immediately upgrade.”

The most serious vulnerability is a pre-authentication flaw with a severity score of 9.8 out of 10. The other two vulnerabilities have CVSS scores of 7.2 and 6.7.

  • CVE-2021-20021 – Pre-authentication vulnerability allowing remote attackers to create administrative accounts by sending specially crafted HTTP requests to a remote host. (CVSS 9.8)
  • CVE-2021-20022 – Post-authentication vulnerability allowing uploads of arbitrary files to a remote host. (CVSS 7.2)
  • CVE-2021-20023 – Post-authentication vulnerability allowing arbitrary file read on a remote host. (CVSS 6.7)

Mandiant identified the threat actor exploiting the vulnerabilities as UNC2682 and blocked the attack before the threat group could achieve its final aim, so the objective of the attack is unknown. Other threat groups may also attempt to exploit the vulnerabilities to obtain persistent access to enterprise networks and steal sensitive data.

“At the time of activity, the victim organization was using the same local Administrator password across multiple hosts in their domain, which provided the adversary an easy opportunity to move laterally under the context of this account – highlighting the value of randomizing passwords to built-in Windows accounts on each host within a domain,” explained Mandiant. “The adversary managed to briefly perform internal reconnaissance activity prior to being isolated and removed from the environment.”

Affected Product Version Patched Version CVEs
SonicWall Email Security versions 10.0.4-Present 10.0.9.6173 (Windows) and 10.0.9.6177 (Hardware & ESXi Virtual Appliance) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Email Security 10.0.3 10.0.9.6173 (Windows) and 10.0.9.6177 (Hardware & ESXi Virtual Appliance) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Email Security 10.0.2 10.0.9.6173 (Windows) and 10.0.9.6177 (Hardware & ESXi Virtual Appliance) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Email Security 10.0.1 10.0.9.6173 (Windows) and 10.0.9.6177 (Hardware & ESXi Virtual Appliance) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Email Security 7.0.0-9.2.2 Active support license allows upgrade to above secure versions but without an active support license upgrades are not possible CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Hosted Email Security 10.0.4-Present HES 10.0.9.6173 (Automatically patched) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Hosted Email Security 10.0.3 HES 10.0.9.6173 (Automatically patched) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Hosted Email Security 10.0.2 HES 10.0.9.6173 (Automatically patched) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Hosted Email Security 10.0.1 HES 10.0.9.6173 (Automatically patched) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023

The post Three Zero-Day Vulnerabilities in SonicWall Email Security are Being Actively Exploited appeared first on HIPAA Journal.