As attacks against VPN devices are on the rise to deliver ransomware payloads, legacy SonicWall Secure Remote Access (SRA) 4600 are being targeted for a SQL injection exploit that was thought to be patched in newer device firmware. CrowdStrike has confirmed that firmware versions 8.x and 9.x are vulnerable to CVE-2019-7481, even when running SMA device firmware versions 18.104.22.168 and 22.214.171.124. SonicWall PSIRT confirmed that legacy SRA devices could use the newer SMA firmware updates and that the devices were interchangeable. After CrowdStrike shared their findings, SonicWall PSIRT confirmed that SRA devices were end of life and that the current mitigation for this issue is to install the latest 10.x SMA firmware.
It is fortunate that newer device firmware is still compatible with the legacy SRA 4600, however CrowdStrike found that not all security fixes may apply one-to-one when being applied to these devices. Organizations still utilizing the SonicWall SRA 4600 should have a plan for updating device firmware to version 10.x as specified by SonicWall as quickly as possible while planning for eventual device replacement as they are considered end of life. To check for signs of compromise, CrowdStrike noticed that device logs would include the string msg=”Virtual Assist Installing Customer App” in the minutes leading up to access by threat actors.