To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".
I am trying to get more information through my sonicwall rep to understand if the attackers could have gained persistence on the appliances.
I forwarded a similar event log entry like yours to my local SNWL contact and he couldn't help because there were no more related log entries to put in context. He suggested to create a Support Ticket for further analysis ... of what?
It was a simple question, what does this log entry means and was it caused by an allow or block action.
I would try to ask Ollie Whitehouse or Rich Warren on twitter. They found the vulnerability (NCCGroupInfosec). They have properly more information about as sonicwall. It looks like sonicwall is "overwhelmed"
Saw this message today on 5-6 SMA appliances. Just sharing what we are seeing.
SSLVPN: id=sslvpn sn= time="2021-02-08 22:43:28" vp_time="2021-02-09 06:43:28 UTC" fw= pri=1 m=0 c=800 src=188.8.131.52 dst= user="System" usr="System" msg="ExtendID (query) invalid extendid: '1' or substr((select sessionId from Sessions Limit 1 OFFSET 0),1,1)='q';--''" agent="python-requests/2.21.0"
looks like another attempt for SQL injection. But you can be assured SNWL would definitely comment on that urgent matter if our deployments would be on any risk whatsoever. Wasn't worth a comment last week for a similar sighting, so it's a nothing burger.
This message may include spoors of sarcasm, be advised if you're known allergic to it.
I received the same alert today from that exact same src IP address
There are definitely some "campaigns" that are going on to find vulnerable devices...
I'm looking for someone who can help me clearify about the migitation option. I already tried the support hotline but the line seems really busy.
As already in previous posts mentioned Sonicwall stated as one of the migitation options to enable WAF and get a 60 day complimentary license. Uhm, my question is, do I need to have a WAF license before or do I need to buy a license afterwards? Or is this complimentary option bound to some rules? (execpt a registered SMA?)
Thank you in advance!
it seems noone is willing to chime in, I can only provide my Enduser/Partner view.
The WAF for 60 days is a freebie and of course to this point in time you have to pay good money for that feature afterwards. There is no official word if WAF is still necessary after applying 10.2.0.5. There is no word of the impact of the vulnerability (SQL injection extracted credentials?).
There a bunch of things to clear up, but SNWL is making no steps into that direction, plain silence.
I am also wondering when Sonicwall is going to give us more details on this.
Can anyone comment as to whether Sonicwall has said anything about the data breach? Was customer information stolen?
That would be a nice thing to know. I am trying to figure out why no information is being released.
Sonicwall can protect you from APTs but they can not protect there own system for a simple blind sql injection :)
That's all information i need.
Just say nothing says it all...
Just have a quick look at the end of the post from a well known security researcher and ex member of the known Lulzsec hacking group
Sonicwall definitely have a QA problem regarding security and quality....
Sonicwall should start to leave a comment on this post regrading their migration tasks....
SonicWall is announcing the availability of new firmware versions for both 10.x and 9.x code on SMA 100 series products, comprised of SMA 200, 210, 400, 410 physical appliances and the SMA 500v virtual appliance.
The new SMA 10.2 firmware includes:
The new 9.0 firmware includes:
All organizations using SMA 100 series 10.x or 9.x firmware should apply the respective patches IMMEDIATELY.
If you already upgraded to the previous SMA 10.2.0.5-29sv firmware posted on Feb 3., you still need to upgrade to SMA 10.2.0.6-32sv as outlined in the updated KB article. If you skipped the SMA 10.2.0.5-29sv firmware update from Feb. 3, you only need to apply the latest SMA firmware.
Please review the updated KB article for the latest firmware version numbers and follow detailed steps on how to upgrade.
@micah - SonicWall's Self-Service Sr. Manager
Is there any update on whether our support case information was stolen in the internal breach and if the malicious actors stole source code?
We upgraded to 10.2.0.6-32sv as per SonicWalls advice and now none of our employees can login via NetExtender.
We are getting User License errors saying we have none left (which is not correct) and this upgrade is the only change we made last Friday night.
Resync licenses has helped for now
Anyone get any more information from Sonicwall on all of this?
I guess every SNWL customer got this by now, came in last night via e-Mail? Most of the initial questions remain open, but at least it seems that no data at SNWL got compromised.
As previously communicated, SonicWall was the target of an attack by a highly sophisticated threat actor in mid-January. SonicWall’s priority in responding to the attack was identifying, resolving and providing alerts regarding potential product vulnerabilities that could impact our customers.
SonicWall first issued a zero-day vulnerability alert for one of our remote access products, the SMA 100 series, which we now believe was used in the attack. On Feb. 3 we released a critical patch for the vulnerability, and on Feb. 19 we issued an update with additional code-hardening for the SMA 100 series product line.
Based on our extensive investigation in consultation with forensic experts, there is no evidence that any other SonicWall products are impacted or that SonicWall’s source code has been modified or otherwise compromised. As a precaution, we are conducting additional third-party code reviews to supplement the standard code audits that are part of our development and PSIRT processes.
The January incident resulted in the exfiltration of some limited internal SonicWall files. Impacted parties and relevant regulators have been notified of this event.
We appreciate the support and confidence shown by our partners and customers as we have worked through the stages of this event and the ensuing investigation.
SonicWall remains committed to delivering world-class cybersecurity solutions for our partners and customers, and we will continue to communicate the latest information and guidance for keeping your organizations safe.
@Micah et al.
the gifted 60 day WAF license is going to expire in a few days. Does the SMA still needs it to protect itself or are we "good" to run it without it?
some news about this story, in the rare case you missed it.