Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Urgent Security Advisory - NetExtender VPN Client Version 10.x and SMA 100 Series

124

Comments

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    I see the license on MSW but synchronize doesnt' work. Even "Activate, Upgrade, or Renew services." doesn't show it after logging in. Perhaps I have to wait or do a manual license upgrade.

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    Not even a manual keyset upgrade brings the license into the unit. How is this possible? It shows up on MSW but not when logging in from SMA or with manual keyset?

  • Ach49Ach49 Newbie ✭

    Hello, What we are currently experiencing is difficult for everyone.

    Since the incident was reported on February 23, announcements have been made by SW and, for the most part, they were missing, erroneous or worse absent!

    - We are told that the product is safe if we activate MFA and EPC Ok ...

    To tell us after telling us that we must filter the IP. Imagine, dynamic public ip, impossible ...

    With 5 users, why not, 250 it becomes unmanageable madness!

    - You have to put a firewall before the SMA, OK :-)

    - Downgrade to version 9xxx, with defaut config and reconfigure from scatch ... arghhh !!!!!!!!

    - Blah, blah blah

    And then, what did I find on the web last week? that all SMA accounts of my users with their compromised passwords on pastebin !!!!

    For information, my SMA 410 had been put out of service Monday February 25 at 08:00.

    Shut down as a precaution.

    SMA Basic configured with MFA + EPC + GEOIP + certificates and administration with IP filtering by LAN, since the start of its installation, 6 months ago ...

    And I can prove it with the archives of my config

    So it was all for nothing. SW should have said "TURN ALL OFF!"

    And now ? Activate the WAF, that's for sure ... And we are nice, we offer it to you for free until tonight for a few weeks, after that it will be paid ... What to say ... You should offer it in free and permanent license as a commercial gesture !!!!

    It is shameful !!!

  • stfstf Newbie ✭
  • TX_ITTX_IT Enthusiast ✭✭

    Hi Guys, while I'm definitely one to call SonicWall on the carpet when needed on this, I think you might want to review what outbound HTTPS traffic you had allowed from your SMA to the WAN. Mine were licensed with all 692 this AM and that is the ONLY outbound HTTP/HTTPS traffic ours is allowed:

    https://www.sonicwall.com/support/knowledge-base/what-are-the-fqdn-s-that-needs-to-be-allowed-on-upstream-firewall-for-license-to-sync-on-sma100-series/200525173440210/

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited February 2021

    Hi guys,

    10.2.0.5-29sv got released, only .sig file so far. If you need to start from scratch with 10.x you're lost at the moment, because all other 10.x releases including the .ova Files for SMA 500v got vanished.

    Download speed is super slow, got some attention already or SNWL subscribed to the Junior Bandwidth package.

    Hope for the best that not that many stuff got broken :)

    --Michael@BWC

  • stfstf Newbie ✭

    I downloaded it. Currently reading release notes. Can we please get more details about the exploit? "Addressed critical credential access vulnerability reported" is all we have to run on.

  • UPDATE: February 3, 2021, 2. P.M. CST

    https://www.sonicwall.com/support/product-notification/210122173415410/

    SonicWall is announcing the availability of an SMA 100 series firmware 10.2.0.5-29sv update to patch a zero-day vulnerability on SMA 100 series 10.x code. All SMA 100 series users must apply this patch IMMEDIATELY to avoid potential exploitation.

    Affected SMA 100 Devices with 10.x Firmware that Require the Critical Patch:

    • Physical Appliances: SMA 200, SMA 210, SMA 400, SMA 410
    • Virtual Appliances: SMA 500v (Azure, AWS, ESXi, HyperV)

    Please read this notice in its entirety as it contains important details for post-upgrade steps. 

    Vulnerability Information

    The patch addresses vulnerabilities reported to SonicWall by the NCC Group on Jan. 31 and Feb. 2, tracked under PSIRT Advisory ID SNWLID-2021-0001. These include an exploit to gain admin credential access and a subsequent remote-code execution attack.

    Upgrade Recommended Steps

    Due to the potential credential exposure in SNWLID-2021-0001, all customers using SMA 10.x firmware should immediately follow the following procedures:

    1. Upgrade to SMA 10.2.0.5-29sv firmware, available from www.mysonicwall.com
      1. This firmware is available for everybody, regardless of the status of their support/service contract.
      2. Instructions on how to update the SMA 100 10.x series firmware can be found in this KB article for physical appliances and this KB article for virtual devices.
    2. Reset the passwords for any users who may have logged in to the device via the web interface.
    3. Enable multifactor authentication (MFA) as a safety measure.
      1. MFA has an invaluable safeguard against credential theft and is a key measure of good security posture.
      2.  MFA is effective whether it is enabled on the appliance directly or on the directory service in your organization.

    Additional WAF Mitigation Method

    Customers unable to immediately deploy the patch can also enable the built-in Web Application Firewall (WAF) feature to mitigate the vulnerability in SNWLID-2021-0001 on SMA 100 series 10.x devices.  

    Please follow the guidance in the following KB article to enable WAF functionality: https://www.sonicwall.com/support/knowledge-base/210202202221923/

    SonicWall is adding 60 complimentary days of WAF enablement to all registered SMA 100 series devices with 10.x code to enable this mitigation technique. 

    While this mitigation has been found in our lab to mitigate SNWLID-2021-0001, it does *not* replace the need to apply the patch in the long term and should only be used as a safety measure until the patched firmware is installed.

    Additional Notes

    • We currently are not aware of any forensic data that can be viewed by the user to determine whether a device has been attacked. However, we will post an update as we get more information.
    • Vulnerable virtual SMA 100 series 10.x images have been pulled from AWS and Azure marketplaces and updated images will be re-submitted as soon as possible. We expect the approval process to take several weeks. In the meantime, customers in Azure and AWS can update via incremental updates.

    Release notes for the firmware can be found in the downloads section of www.mysonicwall.com.

    @micah - SonicWall's Self-Service Sr. Manager

  • stfstf Newbie ✭

    We just did our internal one. So far so good. People are logged back in without issue. What are the chances that the installation has been tainted?

  • Halon5Halon5 Enthusiast ✭✭

    anybody seeing this?

    OPSWAT: Download OPSWAT package failed.

  • stfstf Newbie ✭

    I have seen that before. Pretty normal in our travels.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @Halon5

    please have a look at my reply over there:

    By adding the host directly on the SMA under Network -> Host Resolution I was always able to fix this OPSWAT problem.

    --Michael@BWC

  • XronosXronos Newbie ✭
    Perfect you released a hotfix. Unfortunately the bugs we reported are back. We ran on a private build.
  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @Micah

    and this is the part where it gets weird:

    Reset the passwords for any users who may have logged in to the device via the web interface.

    What do you mean, only the LocalDomain users or ActiveDirectory, LDAP and Radius as well?

    What does this even mean, are any credentials possibly compromised?

    This needs clarification, this time for real.

    --Michael@BWC

  • stfstf Newbie ✭

    Yeah this is what we are all trying to understand. Does the vulnerability allow the attacker to see cached AD credentials on the appliance?

  • XronosXronos Newbie ✭
    A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product allows a remote unauthenticated attacker to perform SQL query to access username password and other session-related information. This vulnerability impacted SMA100 build version 10.x.
  • Halon5Halon5 Enthusiast ✭✭

    @Micah ,

    Like all the others here, we are also trying to understand any potential impact(s) so we can perform the correct mitigation procedures. Password changes and so on.

  • kthorkthor Newbie ✭

    Kindly query the checksum for the patch file as it´s missing and share it here or in MySonicWALL.

    K

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @kthor

    in the meantime I share mine with you, because I don't know what SNWL is willing to share with us at this point. Not very communicative at the moment. All these files were used for successfull updates.

    MD5 (sw_sma400_eng_10.2.0.5_10.2.0_5_29sv_1261432.sig) = c07ebf0e934564ef38087a2eb2ff2872
    MD5 (sw_smahyperv_eng_10.2.0.5_10.2.0_5_29sv_1261432.sig) = 4d0208cb24e44c07e3ad15ebcd2b2d09
    MD5 (sw_smavm_eng_10.2.0.5_10.2.0_5_29sv_1261432.sig) = fc42c67eb84058f57a87ed11c0bfbed5
    

    --Michael@BWC

  • stfstf Newbie ✭

    I would love to know what the attackers are trying to do with this. We keep seeing this with frequency. On SMAs with difference firmware releases. 8/9/10

    SSLVPN: id=sslvpn sn= time="2021-02-04 05:25:40" vp_time="2021-02-04 10:25:40 UTC" fw= pri=6 m=0 c=300 src=144.217.207.77 dst= user="5ZUEeAgjIApebOcJdujVbH9Z61Q7UEghg6gMPUFiTLY=" usr="5ZUEeAgjIApebOcJdujVbH9Z61Q7UEghg6gMPUFiTLY=" msg="Virtual Assist Installing Customer App" agent="python-requests/2.9.1"

  • stfstf Newbie ✭

    Here is another example. This is running the patched firmware.

    SSLVPN: id=sslvpn time="2021-02-04 05:25:11" vp_time="2021-02-04 10:25:11 UTC" fw= pri=1 m=0 c=800 src=144.217.207.77 dst=207.99.117.86 user="System" usr="System" msg="ExtendID (query) invalid extendid: ''UNION SELECT userType||'#'||sessionid||'#'||userName||'#'||password||'#'||csrfToken from Sessions LIMIT 0,1;'" agent="python-requests/2.9.1"

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @stf

    the VirtualAssist thingy might be related to this which was a SonicOS matter and is maybe just a bycatch.

    But on the other hand the SQL Injection you experienced is probably the root cause for the current dilemma, which still raises the question which kind of credentials got exposed. Considerung the table name Sessions my best guest would be that all kind of authentication mechanisms got exposed and this is the reason why SNWL promoted MFA so hard.

    --Michael@BWC

  • stfstf Newbie ✭

    Thanks! I wonder if we should be concerned if the device was running patched firmware and we are still seeing a log message like that.

  • XronosXronos Newbie ✭

    @stf

    First i would remove your dst IP :) Additional the Source-IP is from OVH a hoster. I would write them an abuse e-mail to abuse@ovh.ca

  • stfstf Newbie ✭

    I noticed that after the fact. Sadly cannot edit the post. At this point I think the bad guys know how to find it.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @stf

    a customer reported a minute ago that the same IP 144.217.207.77 (OVH) tried the SQL injection. Seems to be a busy host though.

    I hope that the log event shows that it got blocked, message is not clear on this.

    May I promote my thread about Syslog events over there? Got no attention, like most of my gibberish.


    --Michael@BWC

  • stfstf Newbie ✭

    Any IP that comes up in our syslog alerting we are adding to blocked sites.

  • XronosXronos Newbie ✭
    @BWC if your WAF is still enabled. You should still see the prevenation of the attack (Monitor under WAF)
  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Xronos

    my Customer who reported the Alert has no WAF running, which brings us back to the initial question. Is this Alert the Message that it got handled and defused or was it the Message to wave your data goodbye?

    --Michael@BWC

Sign In or Register to comment.