Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

SMA 100 Series - infected with persistent malware (fixed in 10.2.1.7)?

BWCBWC Cybersecurity Overlord ✭✭✭

Does anybody knows if the infection with persistent malware (surviving reboots etc.) on unpatched SMA 100 Series (2x0/4x0/500v) is removed by updating to 10.2.1.7 or does it need a fresh install? Is there a way to tell if an appliance is infected?

This does not sound really comforting and hopefully it has nothing to do that some form of development for SMA is done in China (HK).

--Michael@BWC

Category: Secure Mobile Access Appliances
Reply

Comments

  • LarryLarry All-Knowing Sage ✭✭✭✭

    @BWC - Michael - here's more in-depth discussion:

    Very glad I never caught the "urgent need" to implement the SMA product line.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Larry thanks for the link, I did not checked with Mandiant, but it's pretty detailed. It seems, once infected, the malware modifies any uploaded firmware package. The question remains, does the new introduced counter measures in 10.2.1.7 detecting this. I assume they do, because it must be introduced for a reason.

    I rooted the SMA myself (it's pretty easy on virtual) and peeked around and it gave me the chills. But on the other side I've got some insights about the wrongful iptables implementation which I reported here but noone cares about. I need to check if this is still possible in 10.2.1.7.

    SMA is like the other legacy solutions ready for a major overhaul or retirement.

    --Michael@BWC

  • Craig_SCraig_S Newbie ✭

    Right on the heels of a reboot after applying the latest firmware this morning, I was alerted from the device the following:

    SSLVPN: id=sslvpn sn=xxxxxx time="2023-03-10 07:36:48" vp_time="2023-03-10 12:36:48 UTC" fw=x.x.x.x pri=2 m=34 c=402 src=77.73.131.6 dst="y.y.y.y" user="Unknown" usr="Unknown" msg="WAF threat prevented: SQL Injection Attack" URI=y.y.y.y:443/cgi-bin/extendauthentication rule-match="' union select usertype||'#'||sessionid||'#'||username||'#'||password||'#'||domainname from sessions limit 0,1;" AttackCat="SQL Injection Attack" summ="SQL Injection is an attack technique used to exploit web sites that construct SQL statements from user-supplied input" sigid="9005" category="Command Execution--SQL Injection" agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0"

    So it looks like the exploit is being used in the wild. It'd be good to know if 10.2.1.7 does eliminate any existing compromise that may have occurred on the device. Now to examine my /tmp/temp.db for any signs of compromise.

    Also, I don't appreciate that the email from SonicWall that I received Tuesday listed the patch as a Maintenance patch and not a Critical patch.

  • prestonpreston All-Knowing Sage ✭✭✭✭
  • BWCBWC Cybersecurity Overlord ✭✭✭

    @preston thanks, this is pretty detailed, I'am intrigued to give it a testdrive.

    It sounds like 10.2.1.7 is detecting modifications, hopefully starting with the upgrade to 10.2.1.7 (from 10.2.0.x or 10.2.1.x) and not only from 10.2.1.7 upwards.

    --Michael@BWC

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    I started seeing login attempts last week. I read the SonicWall blog but I didn't think it or the email notification gave the matter the urgency it should have. So I haven't updated yet since it didn't seem too bad.

    Is this the new way SonicWall is going to handle critical security issues? Bury them in marketing and downplaying the significance?

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @SonicAdmin80 break free from the severity and be boundless.

    --Michael@BWC

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    @BWC 😂 Indeed, limitless vulnerabilities.

    At least here they say "NOTE: Upgrade from v10.2.0.x to v10.2.1.7 is supported": https://www.sonicwall.com/support/knowledge-base/upgrade-path-for-sma100-series/190314100423452/

    So perhaps the update fixes the issue but who knows since right below it they say "Follow the KB Safe mode steps" and link to factory defaulting the appliance.

Sign In or Register to comment.