Looks like they've published that a fix is coming soon. My frustration here is that will still have no idea what the behavior of the exploit looks like and there's been zero feedback on what our SIEMs could be picking up
If anyone hears something from SW, I'd love to know what the technical details are
I guess we have to guess, none of my question on page #1 were answered. Rumor says that it's even vulnerable without authentication, which would render MFA useless.
As @Xronos explained any portal is vulnerable, which would answer at least one of my questions :)
GeoIP before the SMA would be my preferred choice, because it's unreliable on the SMA, at least for me.
@BWC hopefully they will give us some more information soon. I have also some additional questions but I will wait until the releases the fix. I think they are putting all their strength into the fix at the moment.
It's also unclear how user passwords are compromised. The recommendation is to reset user passwords, but if the vulnerability is a complete authentication bypass is there actually risk for password leakage?
We opened a case this morning at around 10:00AMEST and have not heard anything back yet. Curious if anyone has had any luck with getting through to support.
The SMA 100 series 10.x patch announced yesterday to address the zero-day vulnerability is still undergoing final testing and our new estimate for delivery is early Feb. 3 (PST).
Meanwhile, we have identified an additional mitigation to remediate the attack on the SMA 100 series 10.x firmware. The built-in Web Application Firewall (WAF) functionality has been observed in our testing to neutralize the zero-day vulnerability. Please follow the guidance in the following KB article to enable WAF functionality on the SMA 100 series appliance: https://www.sonicwall.com/support/knowledge-base/210202202221923/
SonicWall is adding 60 complimentary days of WAF enablement to all registered SMA 100 series devices with 10.X code in order to enable this mitigation technique. This 60-day license will be automatically enabled within “www.MySonicWall.com” accounts of registered SMA 100 series devices before the end of today, Feb. 2 (PST).
The Feb. 3 patch remains the definitive solution to the zero-day vulnerability. The patch will include additional code-strengthening and should be applied immediately upon availability.
I already have WAF licensed on my personal SMA and was able to activate the 60 day gift on a few machines already. But there are appliances (with valid support) which are stuck on "not licensed".
One other thing I figured is the amount of signatures. My SMA shows 692 signatures, the freebie only 21 with a Status shown as updated.
Are these 21 Signatures all we need?
Update:
Wait for it, you have to have USofA allowed in the GeoIP Policy to get the 692 signatures, which brings me straight back to my other (unrecognized) thread:
dunno, I did it solely on the SMA appliance via License sync. After allowing USofA in the GeoIP policy I was able to activate it on every SMA I deployed.
Comments
Looks like they've published that a fix is coming soon. My frustration here is that will still have no idea what the behavior of the exploit looks like and there's been zero feedback on what our SIEMs could be picking up
If anyone hears something from SW, I'd love to know what the technical details are
Or if they could issue an IPS/GAV signature to the firewalls themselves.
Yes, that is a great step to mitigate as then you only have to worry about potential malicious activity from your well known users.
@micah - SonicWall's Self-Service Sr. Manager
Is the vulnerability in both the management interface and regular user login side, or only in the management interface? It isn't very clear.
How would we see if it's being exploited?
If doing Geo-IP restriction, is it better to do it on the firewall in front of the SMA or on the SMA itself?
Sounds for me as a general authentication problem not related to an interface:
"For user-level auth bypass (either via the VPN client or web), look for requests to:
/cgi-bin/sslvpnclient
/cgi-bin/portal
without a prior request to:
/cgi-bin/userLogin (for VPN client)
or for web:
/__api__/v1/logon (200)
/__api__/v1/logon/<id>/authenticate
Valid creds to /cgi-bin/userLogin, response size is 711 bytes, invalid creds is 658 (no cookie set)
Valid creds to /__api__/v1/logon/<id>/authenticate is 655 bytes, invalid is 611
"
Hi @SonicAdmin80
I guess we have to guess, none of my question on page #1 were answered. Rumor says that it's even vulnerable without authentication, which would render MFA useless.
As @Xronos explained any portal is vulnerable, which would answer at least one of my questions :)
GeoIP before the SMA would be my preferred choice, because it's unreliable on the SMA, at least for me.
--Michael@BWC
@BWC hopefully they will give us some more information soon. I have also some additional questions but I will wait until the releases the fix. I think they are putting all their strength into the fix at the moment.
I'm trying to do Geo-IP on an access rule on Gen 7 UI, which doesn't work. Let's see if it works even in Gen 6.5 UI.
Gen 6 UI works with SonicOS 7 for setting Geo-IP policy for access rule.
SNWL pulled all 10.x Releases from MSW, making free space for the fixed firmware? 😎
At least no new deployments for everyone who lived under a rock for the last 10 days.
--Michael@BWC
It's also unclear how user passwords are compromised. The recommendation is to reset user passwords, but if the vulnerability is a complete authentication bypass is there actually risk for password leakage?
SNWL Germany sent a note to Partners a minute ago with the following options:
No Mitigation, no propagation of GeoIP, MFA ... just keep everyone away from this thing.
Lucky me I don't the SMA personally, but others my be screwed.
--Michael@BWC
We may have seen a potential compromise this morning. Details are below.
https://www.reddit.com/r/sonicwall/comments/laxirp/sonicwall_sma_500v_10003_potential_compromise/
No IPS signature for this "access" ?
I can't believe I've had to find out what the impacted URLs are from reddit and twitter. At least we have something to look at now
I wish we'd all got that email 7 days ago 😥
EOB 02.02.2021? Which timezone? CST?
What did you find out?
The URLs to look for behavior on and that MFA isn't actually a fix (if you read the reddit thread).
We opened a case this morning at around 10:00AMEST and have not heard anything back yet. Curious if anyone has had any luck with getting through to support.
any word on the fix?
We opened a case, but they just kept emailing us the public KB as a response. Support and our account managers appear to have been gagged
UPDATE: FEBRUARY 2, 2021, 11. P.M. CST
The SMA 100 series 10.x patch announced yesterday to address the zero-day vulnerability is still undergoing final testing and our new estimate for delivery is early Feb. 3 (PST).
Meanwhile, we have identified an additional mitigation to remediate the attack on the SMA 100 series 10.x firmware. The built-in Web Application Firewall (WAF) functionality has been observed in our testing to neutralize the zero-day vulnerability. Please follow the guidance in the following KB article to enable WAF functionality on the SMA 100 series appliance: https://www.sonicwall.com/support/knowledge-base/210202202221923/
SonicWall is adding 60 complimentary days of WAF enablement to all registered SMA 100 series devices with 10.X code in order to enable this mitigation technique. This 60-day license will be automatically enabled within “www.MySonicWall.com” accounts of registered SMA 100 series devices before the end of today, Feb. 2 (PST).
The Feb. 3 patch remains the definitive solution to the zero-day vulnerability. The patch will include additional code-strengthening and should be applied immediately upon availability.
Yippe yi yo!
Well,
maybe just adding it for completely free would have been a better move.... ,, oh right we have to pay extra for a secure SMA...
No IPS firewall sigs for this...?
Hi guys,
I already have WAF licensed on my personal SMA and was able to activate the 60 day gift on a few machines already. But there are appliances (with valid support) which are stuck on "not licensed".
One other thing I figured is the amount of signatures. My SMA shows 692 signatures, the freebie only 21 with a Status shown as updated.
Are these 21 Signatures all we need?
Update:
Wait for it, you have to have USofA allowed in the GeoIP Policy to get the 692 signatures, which brings me straight back to my other (unrecognized) thread:
I'am so fed up with this 😡
--Michael@BWC
@BWC ,
You must be special.. haven't seen anything yet..
@Halon5
after allowing the USofA and hitting License sync a few times it got listed as licensed until early April.
--Michael@BWC
@BWC
nah, I cant even see it on MSW... Shouldn't it show up there first?
S.
@Halon5
dunno, I did it solely on the SMA appliance via License sync. After allowing USofA in the GeoIP policy I was able to activate it on every SMA I deployed.
--Michael@BWC
@BWC ,
oooo!!
there it is..