SonicWall Rules Out VPN Compromise, Flaw Limited To SMA Tool

A day after disclosing a sophisticated cyberattack against its internal systems, SonicWall updated its guidance to tell customers its NetExtender VPN client doesn’t have a zero-day vulnerability after all.

SonicWall updated its guidance a day after disclosing a sophisticated hack to tell customers its NetExtender VPN client doesn’t have a zero-day vulnerability after all.

The Milpitas, Calif.-based platform security vendor said late Saturday that only its SMB-oriented Secure Mobile Access (SMA) 100 series tool remains under investigation for a security flaw. That’s in stark contrast to Friday night, when SonicWall announced that highly sophisticated threat actors attacked its internal systems by exploiting a probable zero-day flaw in both its SMA 100 and NetExtender products.

“While we previously communicated NetExtender 10.x as potentially having a zero-day, that has now been ruled out. It may be used with all SonicWall products,” SonicWall announced at 10:45 p.m. ET Saturday. “No action is required from customers or partners.”

[Related: SonicWall Breached Via Zero-Day Flaw In Remote Access Tools]

SonicWall additionally disclosed late Saturday that SMA 100 series products may be used safely in common deployment use cases. Specifically, the company said that customers may continue to use NetExtender for remote access with the SMA 100 series since that setup is not susceptible to exploitation.

SMA 100 series administrators are advised to create specific access rules or disable Virtual Office and HTTPS administrative access from the Internet, SonicWall said Saturday. A day earlier, SonicWall told SMA 100 series partners and customers to either use a firewall to only allow SSL-VPN connections to the SMA appliance from known/whitelisted IPs or configure whitelist access on the SMA directly itself.

“SonicWall fully understands the challenges previous guidance had in a work-from-home environment, but the communicated steps were measured and purposeful in ensuring the safety and security of our global community of customers and partners,” the company said late Saturday.

The company reiterated Saturday that the SMA 1000 series is not susceptible to this attack, and noted for the first time that all generations of SonicWall firewalls are not affected by the SMA 100’s zero-day vulnerability. SonicWave Access Points are additionally not affected by the compromise, according to SonicWall.

SonicWall’s internal systems first went down Tuesday, and source code hosted on the company’s GitLab repository was accessed by the attackers, The Hacker News reported late Friday. Similarly, SC Media said it received an anonymous tip late Friday that SonicWall’s systems had undergone a major breach. The company didn’t respond, and instead issued a formal announcement later that evening, SC Media said.

The company declined to answer questions from CRN about whether the attack on its internal systems was carried out by the same threat actor who for months injected malicious code into the SolarWinds Orion network monitoring tool. Multiple members of the threat intelligence community said that SonicWall might have fallen victim to a ransomware attack, according to ZDNet.

The company declined to comment to CRN on The Hacker News, SC Media or ZDNet reports. SonicWall is the fifth pure-play cybersecurity vendor to publicly disclose an attack over the past seven weeks, following attempted hacks of FireEye, CrowdStrike, Mimecast and Malwarebytes.