SMA 100 Series - infected with persistent malware (fixed in 10.2.1.7)?
BWC
Cybersecurity Overlord ✭✭✭
Does anybody knows if the infection with persistent malware (surviving reboots etc.) on unpatched SMA 100 Series (2x0/4x0/500v) is removed by updating to 10.2.1.7 or does it need a fresh install? Is there a way to tell if an appliance is infected?
This does not sound really comforting and hopefully it has nothing to do that some form of development for SMA is done in China (HK).
--Michael@BWC
Category: Secure Mobile Access Appliances
1
Comments
@BWC - Michael - here's more in-depth discussion:
Very glad I never caught the "urgent need" to implement the SMA product line.
@Larry thanks for the link, I did not checked with Mandiant, but it's pretty detailed. It seems, once infected, the malware modifies any uploaded firmware package. The question remains, does the new introduced counter measures in 10.2.1.7 detecting this. I assume they do, because it must be introduced for a reason.
I rooted the SMA myself (it's pretty easy on virtual) and peeked around and it gave me the chills. But on the other side I've got some insights about the wrongful iptables implementation which I reported here but noone cares about. I need to check if this is still possible in 10.2.1.7.
SMA is like the other legacy solutions ready for a major overhaul or retirement.
--Michael@BWC
Right on the heels of a reboot after applying the latest firmware this morning, I was alerted from the device the following:
SSLVPN: id=sslvpn sn=xxxxxx time="2023-03-10 07:36:48" vp_time="2023-03-10 12:36:48 UTC" fw=x.x.x.x pri=2 m=34 c=402 src=77.73.131.6 dst="y.y.y.y" user="Unknown" usr="Unknown" msg="WAF threat prevented: SQL Injection Attack" URI=y.y.y.y:443/cgi-bin/extendauthentication rule-match="' union select usertype||'#'||sessionid||'#'||username||'#'||password||'#'||domainname from sessions limit 0,1;" AttackCat="SQL Injection Attack" summ="SQL Injection is an attack technique used to exploit web sites that construct SQL statements from user-supplied input" sigid="9005" category="Command Execution--SQL Injection" agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0"
So it looks like the exploit is being used in the wild. It'd be good to know if 10.2.1.7 does eliminate any existing compromise that may have occurred on the device. Now to examine my
/tmp/temp.db
for any signs of compromise.Also, I don't appreciate that the email from SonicWall that I received Tuesday listed the patch as a Maintenance patch and not a Critical patch.
Hi Michael, see the below I've received from our SE
https://blog.sonicwall.com/en-us/2023/03/new-sma-release-updates-openssl-library-includes-key-security-features/
@preston thanks, this is pretty detailed, I'am intrigued to give it a testdrive.
It sounds like 10.2.1.7 is detecting modifications, hopefully starting with the upgrade to 10.2.1.7 (from 10.2.0.x or 10.2.1.x) and not only from 10.2.1.7 upwards.
--Michael@BWC
I started seeing login attempts last week. I read the SonicWall blog but I didn't think it or the email notification gave the matter the urgency it should have. So I haven't updated yet since it didn't seem too bad.
Is this the new way SonicWall is going to handle critical security issues? Bury them in marketing and downplaying the significance?
@SonicAdmin80 break free from the severity and be boundless.
--Michael@BWC
@BWC 😂 Indeed, limitless vulnerabilities.
At least here they say "NOTE: Upgrade from v10.2.0.x to v10.2.1.7 is supported": https://www.sonicwall.com/support/knowledge-base/upgrade-path-for-sma100-series/190314100423452/
So perhaps the update fixes the issue but who knows since right below it they say "Follow the KB Safe mode steps" and link to factory defaulting the appliance.