According to a warning from security vendor CrowdStrike, malicious hackers are exploiting an old VPN security hole to attack SonicWall SRC (secure remote access) devices.
The vulnerability in question, CVE-2019-7481, was patched by SonicWall in 2019, although CrowdStrike warns that firmware updates for outdated SRA devices did not adequately prevent the risk.
Since then, proof-of-concept code has been leaked, and CrowdStrike claims that large-scale ransomware attackers have used the flaw to infect earlier SonicWall SRA 4600 VPN routers.
SonicWall confirmed to CrowdStrike that the SMA firmware updates contain the patches advised for SRA devices, and that CVE-2019-7481 affects devices with firmware versions 188.8.131.52 and prior.
However, analysis of SMA firmware version 184.108.40.206 found that the injection attack continues to work on earlier SonicWall SRA 4600 devices, indicating that the 2019 suggested patch for SMA devices is useless on SRA appliances.
While it was originally assumed that older SRA firmware would be compatible with newer SMA firmware, CrowdStrike observes that the ability to patch SRA with SMA updates does not always appear to alleviate vulnerabilities in SRA devices.
CrowdStrike claims that even the 10.x firmware upgrades published for SMA 100 devices in 2021 left older SRA vulnerable.
According to CrowdStrike, enterprises should consider replacing outdated appliances with newer devices that continue to receive support, even while the vendor suggests updating to the latest firmware fixes. A thorough examination of all VPN records should aid in the detection of unusual behaviour.
Adopting a Zero Trust approach, deploying two-factor authentication across all apps, including VPN, and deploying endpoint detection and response (EDR) software on all systems are all additional mitigation procedures that can help block assaults even if the first line of protection is compromised.
“Because SonicWall no longer supports SRA devices, upgrading to a supported device is recommended to reduce risk. Furthermore, while this vulnerability allows an attacker to view session data, CrowdStrike claims that two-factor authentication can hinder or stop an attack.