Vulnerability in SonicWall VPN products exploited - Updated advisory

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

4:30pm, 24 January 2021

TLP Rating: Clear

Vulnerability in SonicWall VPN products exploited - updated advisory

Updated at 1.15pm on 4 February 2021:  SonicWall has released an update to resolve this vulnerability. All organisations with SMA 100 series appliances running version 10.x are urged to apply this update immediately, and follow the additional steps as detailed in the SonicWall security advisory. You can find the link to the advisory in the 'More Information' section below.

-----

Updated at 12.30pm on 2 February 2021: SonicWall has identified the vulnerability and has stated that it expects to release a security update for this on 2 February (US time). SonicWall has also clarified the guidance for SMA 100 users. All organisations that have SMA 100 devices deployed are advised to check the SonicWall security advisory and follow the mitigations, as well as prepare to apply updates when they are released.

-----

Updated at 6.20pm on 24 January 2021: The latest update from SonicWall has removed NetExtender from the list of potentially vulnerable products.

-----

SonicWall has disclosed that attackers have exploited as-yet-unknown vulnerabilities in Secure Mobile Access (SMA) appliances.

Organisations that are using these products are urged to ensure that multi-factor authentication is configured and enforced, and to lock down access to the VPN endpoint. Further mitigation may be recommended as SonicWall’s investigation continues.

What's happening

Systems affected

SonicWall have confirmed that at this point the only products that are believed to be vulnerable are the SMA 100 series of VPN appliances.

SonicWall has committed to updating its notification as further information is available. Up-to-date information, as well as mitigations, can be found on Sonicwall’s security advisory. External Link

What to look for

How to tell if you're at risk

If you are using affected SonicWall products to provide VPN access, then applying the relevant mitigations, detailed below, is strongly recommended. If you are using SonicWall products that are not listed as affected, CERT NZ recommends monitoring SonicWall’s advisory or contacting your reseller to make sure that there are no developments that affect your network.

What to do

Mitigation

SonicWall is instructing users of affected products to:

  • Lock down VPN access to affected SMA appliances through IP allowlist.
  • Configure and enforce multi-factor authentication on all VPN access, as well as other ways to connect to SonicWall products.
  • If you have logging enabled or network based monitoring, check and remain vigilant for anomalous activity to or from your SonicWall appliances.
  • Monitor SonicWall’s security advisory for any developments, or patches that they instruct users to implement.

More information

For further information about the incident, see the SonicWall security advisory External Link .

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384