WatchPoint Security Blog

SonicWall VPN Zero-Day: To disrupt or not to disrupt?

Written by Greg Edwards | January 23, 2021

10:15 PM CST Friday 1/22/2021 SonicWall released information that they had been compromised by a zero-day SSL VPN and SMA vulnerability. For MSPs using SonicWall, the options are to disconnect SSL VPN, whitelist VPN users, turn on MFA, or wait for a patch. SonicWall has released little information regarding the vulnerability. SonicWall has said that their own San Jose corporate offices were compromised and that is how they discovered the vulnerability.   

Please see IMPORTANT update below before taking action!

UPDATED 9:45 PM CST Saturday 1/23/2021

SonicWall has determined this Zero Day does not affect 10.x NetExtender SSL VPN Client, but does affect the SMA series products. This is an unusual reversal from the previous day's critical alert calling for immediate action. This no doubt caused countless hours of MSP time determining and implementing steps to mitigate the risk of unauthorized attackers accessing systems.

Transparency and communication are critical from security vendors, so I encourage the community to take a breath before judging SonicWall's decision to sound the alarm bells. This isn't to say SonicWall doesn't need to re-evaluate their processes, tracking of threats and ability to monitor their solutions. Additional information should be communicated on the nature of the perceived zero-day and where any failures may have been in the diagnosis and forensic process.  

Enabling MFA: While there is no longer a zero-day threat to drive MFA adoption, do not wait for the next incident. If you have not already implemented MFA, you need a plan to do so now. This demonstrates the critical need for using MFA everywhere possible, certainly with remote access.  

The questions are:

Who has access to the zero-day?

Are my clients vulnerable?

Which option should I choose? Disconnect VPN, whitelist, turn on MFA or wait for the patch.

When will a patch be available?

 

Who has access?

It is likely a state actor, as this is a very sophisticated attack. BUT we don’t know. This zero-day could be available on the dark web for any cybercriminal to use. In all likelihood, the zero-day is in the hands of one state actor and not available on the dark web. Again, we don’t know and need to take action because of the unknown.

 

Are my clients vulnerable?

Yes, if your clients are using SonicWall SSL VPN 10.x (released 2020) and don’t have MFA enabled on SonicWall firewalls.

NO - updated information from SonicWall determined that the NetExtender client is not vulnerable to the Zero Day.

 

Which option should I choose?

Enabling MFA is the best option but is more complicated than simply clicking a button. It requires a third-party provider and lots of MSPs integrate to AD through a RADIUS server. This adds complication, time and cost to implement.

Disconnect. This is as simple as clicking a button and may be the quickest, safest way to protect your clients. The downside, of course, is we are in a pandemic and almost every client has users working from home.

Whitelist. This is time consuming and not as secure as any of us would like. You have to collect all of the IP addresses from the user’s home connection and create the whitelist on every firewall and then test to make sure the users can connect.

Wait for a patch. SonicWall is almost certainly working around the clock on a patch, and my guess is they will release a patch by late Sunday 1/24/2021. This is pure speculation based on previous critical patches and how quickly SonicWall has responded in the past. SonicWall no doubt is working fervently to test and release a patch, but it could be days or weeks.

So, what to do?

My recommendation would be to enable MFA if that is practical, or use a combination of disconnect, whitelist, and wait. You absolutely must come up with a plan and TALK to your clients. This is an all-hands-on-deck moment and your clients will appreciate that you have their best interests in mind and are protecting them.