Researchers at CrowdStrike have confirmed cyber threat actors exploiting a SonicWall VPN vulnerability to attack Secure Remote Access (SRA) 4600 devices. The vulnerability, tracked as CVE-2019-7481, is not new. The bug was identified in 2019 and a patch was released to correct the flaw; however, the patch was only partially effective and did not fix the firmware bug on legacy SonicWall SRA 4600 VPN devices. Proof-of-concept exploit code has been released and ransomware gangs have been exploiting the flaw.
CrowdStrike has confirmed that the patch to fix the big has not mitigated the vulnerability on SRA devices running versions of 8.x and 9.x firmware, and even the latest versions of SMA firmware do not fix the issue on SRA devices.
SonicWall had previously said the flaw only affected version 8.x of the firmware, but later confirmed the flaw also affected 126.96.36.199; which suggested later versions of the firmware were not vulnerable. CrowdStrike researchers tested an injection attack on version 188.8.131.52 on an older SonicWall SRA 4600 device and found that the bug had not been resolved and could still be exploited.
After notifying SonicWall, the company issued a statement all users should update to version 10.x of the firmware. SonicWall said SRA devices have reached end-of-life, but the patches released to resolve issues with the newer SMA 100 devices were reverse compatible with the older SRA devices; however, CrowdStrike reports that the vulnerability can still be exploited even with the latest versions of the firmware installed.
“While the assumption had been that SRA devices, though end-of-life, could be maintained by implementing the latest SMA firmware upgrades and vulnerability patches, CrowdStrike found that these firmware version recommendations previously considered “patched” can still be vulnerable,” explained CrowdStrike in a recent blog post. “As the SRA devices are no longer being supported by SonicWall, an upgrade to a supported device is recommended to mitigate risk.”
If it is not possible to upgrade, CrowdStrike recommends implementing multi-factor authentication for all applications, which may slow or halt an attack, adopting a zero-trust approach, and installing endpoint detection and response (EDR) software on all systems. EDR systems should block an attack if the perimeter defenses are breached.