I see the license on MSW but synchronize doesnt' work. Even "Activate, Upgrade, or Renew services." doesn't show it after logging in. Perhaps I have to wait or do a manual license upgrade.
Not even a manual keyset upgrade brings the license into the unit. How is this possible? It shows up on MSW but not when logging in from SMA or with manual keyset?
Hello, What we are currently experiencing is difficult for everyone.
Since the incident was reported on February 23, announcements have been made by SW and, for the most part, they were missing, erroneous or worse absent!
- We are told that the product is safe if we activate MFA and EPC Ok ...
To tell us after telling us that we must filter the IP. Imagine, dynamic public ip, impossible ...
With 5 users, why not, 250 it becomes unmanageable madness!
- You have to put a firewall before the SMA, OK :-)
- Downgrade to version 9xxx, with defaut config and reconfigure from scatch ... arghhh !!!!!!!!
- Blah, blah blah
And then, what did I find on the web last week? that all SMA accounts of my users with their compromised passwords on pastebin !!!!
For information, my SMA 410 had been put out of service Monday February 25 at 08:00.
Shut down as a precaution.
SMA Basic configured with MFA + EPC + GEOIP + certificates and administration with IP filtering by LAN, since the start of its installation, 6 months ago ...
And I can prove it with the archives of my config
So it was all for nothing. SW should have said "TURN ALL OFF!"
And now ? Activate the WAF, that's for sure ... And we are nice, we offer it to you for free until tonight for a few weeks, after that it will be paid ... What to say ... You should offer it in free and permanent license as a commercial gesture !!!!
Hi Guys, while I'm definitely one to call SonicWall on the carpet when needed on this, I think you might want to review what outbound HTTPS traffic you had allowed from your SMA to the WAN. Mine were licensed with all 692 this AM and that is the ONLY outbound HTTP/HTTPS traffic ours is allowed:
10.2.0.5-29sv got released, only .sig file so far. If you need to start from scratch with 10.x you're lost at the moment, because all other 10.x releases including the .ova Files for SMA 500v got vanished.
Download speed is super slow, got some attention already or SNWL subscribed to the Junior Bandwidth package.
Hope for the best that not that many stuff got broken :)
I downloaded it. Currently reading release notes. Can we please get more details about the exploit? "Addressed critical credential access vulnerability reported" is all we have to run on.
SonicWall is announcing the availability of an SMA 100 series firmware 10.2.0.5-29sv update to patch a zero-day vulnerability on SMA 100 series 10.x code. All SMA 100 series users must apply this patch IMMEDIATELY to avoid potential exploitation.
Affected SMA 100 Devices with 10.x Firmware that Require the Critical Patch:
Physical Appliances: SMA 200, SMA 210, SMA 400, SMA 410
Virtual Appliances: SMA 500v (Azure, AWS, ESXi, HyperV)
Please read this notice in its entirety as it contains important details for post-upgrade steps.
Vulnerability Information
The patch addresses vulnerabilities reported to SonicWall by the NCC Group on Jan. 31 and Feb. 2, tracked under PSIRT Advisory ID SNWLID-2021-0001. These include an exploit to gain admin credential access and a subsequent remote-code execution attack.
Upgrade Recommended Steps
Due to the potential credential exposure in SNWLID-2021-0001, all customers using SMA 10.x firmware should immediately follow the following procedures:
Reset the passwords for any users who may have logged in to the device via the web interface.
Enable multifactor authentication (MFA) as a safety measure.
MFA has an invaluable safeguard against credential theft and is a key measure of good security posture.
MFA is effective whether it is enabled on the appliance directly or on the directory service in your organization.
Additional WAF Mitigation Method
Customers unable to immediately deploy the patch can also enable the built-in Web Application Firewall (WAF) feature to mitigate the vulnerability in SNWLID-2021-0001 on SMA 100 series 10.x devices.
SonicWall is adding 60 complimentary days of WAF enablement to all registered SMA 100 series devices with 10.x code to enable this mitigation technique.
While this mitigation has been found in our lab to mitigate SNWLID-2021-0001, it does *not* replace the need to apply the patch in the long term and should only be used as a safety measure until the patched firmware is installed.
Additional Notes
We currently are not aware of any forensic data that can be viewed by the user to determine whether a device has been attacked. However, we will post an update as we get more information.
Vulnerable virtual SMA 100 series 10.x images have been pulled from AWS and Azure marketplaces and updated images will be re-submitted as soon as possible. We expect the approval process to take several weeks. In the meantime, customers in Azure and AWS can update via incremental updates.
Release notes for the firmware can be found in the downloads section of www.mysonicwall.com.
A SQL-Injection vulnerability in the SonicWall SSLVPN SMA100 product allows a remote unauthenticated attacker to perform SQL query to access username password and other session-related information. This vulnerability impacted SMA100 build version 10.x.
Like all the others here, we are also trying to understand any potential impact(s) so we can perform the correct mitigation procedures. Password changes and so on.
in the meantime I share mine with you, because I don't know what SNWL is willing to share with us at this point. Not very communicative at the moment. All these files were used for successfull updates.
I would love to know what the attackers are trying to do with this. We keep seeing this with frequency. On SMAs with difference firmware releases. 8/9/10
But on the other hand the SQL Injection you experienced is probably the root cause for the current dilemma, which still raises the question which kind of credentials got exposed. Considerung the table name Sessions my best guest would be that all kind of authentication mechanisms got exposed and this is the reason why SNWL promoted MFA so hard.
my Customer who reported the Alert has no WAF running, which brings us back to the initial question. Is this Alert the Message that it got handled and defused or was it the Message to wave your data goodbye?
Comments
I see the license on MSW but synchronize doesnt' work. Even "Activate, Upgrade, or Renew services." doesn't show it after logging in. Perhaps I have to wait or do a manual license upgrade.
Not even a manual keyset upgrade brings the license into the unit. How is this possible? It shows up on MSW but not when logging in from SMA or with manual keyset?
Hello, What we are currently experiencing is difficult for everyone.
Since the incident was reported on February 23, announcements have been made by SW and, for the most part, they were missing, erroneous or worse absent!
- We are told that the product is safe if we activate MFA and EPC Ok ...
To tell us after telling us that we must filter the IP. Imagine, dynamic public ip, impossible ...
With 5 users, why not, 250 it becomes unmanageable madness!
- You have to put a firewall before the SMA, OK :-)
- Downgrade to version 9xxx, with defaut config and reconfigure from scatch ... arghhh !!!!!!!!
- Blah, blah blah
And then, what did I find on the web last week? that all SMA accounts of my users with their compromised passwords on pastebin !!!!
For information, my SMA 410 had been put out of service Monday February 25 at 08:00.
Shut down as a precaution.
SMA Basic configured with MFA + EPC + GEOIP + certificates and administration with IP filtering by LAN, since the start of its installation, 6 months ago ...
And I can prove it with the archives of my config
So it was all for nothing. SW should have said "TURN ALL OFF!"
And now ? Activate the WAF, that's for sure ... And we are nice, we offer it to you for free until tonight for a few weeks, after that it will be paid ... What to say ... You should offer it in free and permanent license as a commercial gesture !!!!
It is shameful !!!
Were your users in AD or were they local users on the box?
Hi Guys, while I'm definitely one to call SonicWall on the carpet when needed on this, I think you might want to review what outbound HTTPS traffic you had allowed from your SMA to the WAN. Mine were licensed with all 692 this AM and that is the ONLY outbound HTTP/HTTPS traffic ours is allowed:
https://www.sonicwall.com/support/knowledge-base/what-are-the-fqdn-s-that-needs-to-be-allowed-on-upstream-firewall-for-license-to-sync-on-sma100-series/200525173440210/
Hi guys,
10.2.0.5-29sv got released, only .sig file so far. If you need to start from scratch with 10.x you're lost at the moment, because all other 10.x releases including the .ova Files for SMA 500v got vanished.
Download speed is super slow, got some attention already or SNWL subscribed to the Junior Bandwidth package.
Hope for the best that not that many stuff got broken :)
--Michael@BWC
I downloaded it. Currently reading release notes. Can we please get more details about the exploit? "Addressed critical credential access vulnerability reported" is all we have to run on.
UPDATE: February 3, 2021, 2. P.M. CST
https://www.sonicwall.com/support/product-notification/210122173415410/
SonicWall is announcing the availability of an SMA 100 series firmware 10.2.0.5-29sv update to patch a zero-day vulnerability on SMA 100 series 10.x code. All SMA 100 series users must apply this patch IMMEDIATELY to avoid potential exploitation.
Affected SMA 100 Devices with 10.x Firmware that Require the Critical Patch:
Please read this notice in its entirety as it contains important details for post-upgrade steps.
Vulnerability Information
The patch addresses vulnerabilities reported to SonicWall by the NCC Group on Jan. 31 and Feb. 2, tracked under PSIRT Advisory ID SNWLID-2021-0001. These include an exploit to gain admin credential access and a subsequent remote-code execution attack.
Upgrade Recommended Steps
Due to the potential credential exposure in SNWLID-2021-0001, all customers using SMA 10.x firmware should immediately follow the following procedures:
Additional WAF Mitigation Method
Customers unable to immediately deploy the patch can also enable the built-in Web Application Firewall (WAF) feature to mitigate the vulnerability in SNWLID-2021-0001 on SMA 100 series 10.x devices.
Please follow the guidance in the following KB article to enable WAF functionality: https://www.sonicwall.com/support/knowledge-base/210202202221923/
SonicWall is adding 60 complimentary days of WAF enablement to all registered SMA 100 series devices with 10.x code to enable this mitigation technique.
While this mitigation has been found in our lab to mitigate SNWLID-2021-0001, it does *not* replace the need to apply the patch in the long term and should only be used as a safety measure until the patched firmware is installed.
Additional Notes
Release notes for the firmware can be found in the downloads section of www.mysonicwall.com.
@micah - SonicWall's Self-Service Sr. Manager
We just did our internal one. So far so good. People are logged back in without issue. What are the chances that the installation has been tainted?
anybody seeing this?
OPSWAT: Download OPSWAT package failed.
I have seen that before. Pretty normal in our travels.
Hi @Halon5
please have a look at my reply over there:
By adding the host directly on the SMA under Network -> Host Resolution I was always able to fix this OPSWAT problem.
--Michael@BWC
Hi @Micah
and this is the part where it gets weird:
Reset the passwords for any users who may have logged in to the device via the web interface.
What do you mean, only the LocalDomain users or ActiveDirectory, LDAP and Radius as well?
What does this even mean, are any credentials possibly compromised?
This needs clarification, this time for real.
--Michael@BWC
Yeah this is what we are all trying to understand. Does the vulnerability allow the attacker to see cached AD credentials on the appliance?
Would like to know this too
@Micah ,
Like all the others here, we are also trying to understand any potential impact(s) so we can perform the correct mitigation procedures. Password changes and so on.
Kindly query the checksum for the patch file as it´s missing and share it here or in MySonicWALL.
K
Hi @kthor
in the meantime I share mine with you, because I don't know what SNWL is willing to share with us at this point. Not very communicative at the moment. All these files were used for successfull updates.
--Michael@BWC
I would love to know what the attackers are trying to do with this. We keep seeing this with frequency. On SMAs with difference firmware releases. 8/9/10
SSLVPN: id=sslvpn sn= time="2021-02-04 05:25:40" vp_time="2021-02-04 10:25:40 UTC" fw= pri=6 m=0 c=300 src=144.217.207.77 dst= user="5ZUEeAgjIApebOcJdujVbH9Z61Q7UEghg6gMPUFiTLY=" usr="5ZUEeAgjIApebOcJdujVbH9Z61Q7UEghg6gMPUFiTLY=" msg="Virtual Assist Installing Customer App" agent="python-requests/2.9.1"
Here is another example. This is running the patched firmware.
SSLVPN: id=sslvpn time="2021-02-04 05:25:11" vp_time="2021-02-04 10:25:11 UTC" fw= pri=1 m=0 c=800 src=144.217.207.77 dst=207.99.117.86 user="System" usr="System" msg="ExtendID (query) invalid extendid: ''UNION SELECT userType||'#'||sessionid||'#'||userName||'#'||password||'#'||csrfToken from Sessions LIMIT 0,1;'" agent="python-requests/2.9.1"
Hi @stf
the VirtualAssist thingy might be related to this which was a SonicOS matter and is maybe just a bycatch.
But on the other hand the SQL Injection you experienced is probably the root cause for the current dilemma, which still raises the question which kind of credentials got exposed. Considerung the table name Sessions my best guest would be that all kind of authentication mechanisms got exposed and this is the reason why SNWL promoted MFA so hard.
--Michael@BWC
Thanks! I wonder if we should be concerned if the device was running patched firmware and we are still seeing a log message like that.
@stf
First i would remove your dst IP :) Additional the Source-IP is from OVH a hoster. I would write them an abuse e-mail to abuse@ovh.ca
I noticed that after the fact. Sadly cannot edit the post. At this point I think the bad guys know how to find it.
Hi @stf
a customer reported a minute ago that the same IP 144.217.207.77 (OVH) tried the SQL injection. Seems to be a busy host though.
I hope that the log event shows that it got blocked, message is not clear on this.
May I promote my thread about Syslog events over there? Got no attention, like most of my gibberish.
--Michael@BWC
Any IP that comes up in our syslog alerting we are adding to blocked sites.
@Xronos
my Customer who reported the Alert has no WAF running, which brings us back to the initial question. Is this Alert the Message that it got handled and defused or was it the Message to wave your data goodbye?
--Michael@BWC