Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Urgent Security Advisory - NetExtender VPN Client Version 10.x and SMA 100 Series

1235»

Comments

  • stfstf Newbie ✭

    I am trying to get more information through my sonicwall rep to understand if the attackers could have gained persistence on the appliances.

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @stf

    I forwarded a similar event log entry like yours to my local SNWL contact and he couldn't help because there were no more related log entries to put in context. He suggested to create a Support Ticket for further analysis ... of what?

    It was a simple question, what does this log entry means and was it caused by an allow or block action.

    --Michael@BWC

  • XronosXronos Newbie ✭
    edited February 2021

    I would try to ask Ollie Whitehouse or Rich Warren on twitter. They found the vulnerability (NCCGroupInfosec). They have properly more information about as sonicwall. It looks like sonicwall is "overwhelmed"

    https://mobile.twitter.com/ollieatnccgroup

    https://mobile.twitter.com/buffaloverflow

  • stfstf Newbie ✭

    Saw this message today on 5-6 SMA appliances. Just sharing what we are seeing.

    SSLVPN: id=sslvpn sn= time="2021-02-08 22:43:28" vp_time="2021-02-09 06:43:28 UTC" fw= pri=1 m=0 c=800 src=45.32.134.245 dst= user="System" usr="System" msg="ExtendID (query) invalid extendid: '1' or substr((select sessionId from Sessions Limit 1 OFFSET 0),1,1)='q';--''" agent="python-requests/2.21.0"

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @stf

    looks like another attempt for SQL injection. But you can be assured SNWL would definitely comment on that urgent matter if our deployments would be on any risk whatsoever. Wasn't worth a comment last week for a similar sighting, so it's a nothing burger.

    This message may include spoors of sarcasm, be advised if you're known allergic to it.

    --Michael@BWC

  • B3rtB3rt Newbie ✭

    I received the same alert today from that exact same src IP address

  • stfstf Newbie ✭

    There are definitely some "campaigns" that are going on to find vulnerable devices...

  • techpattechpat Newbie ✭

    Hi @all,

    I'm looking for someone who can help me clearify about the migitation option. I already tried the support hotline but the line seems really busy.

    As already in previous posts mentioned Sonicwall stated as one of the migitation options to enable WAF and get a 60 day complimentary license. Uhm, my question is, do I need to have a WAF license before or do I need to buy a license afterwards? Or is this complimentary option bound to some rules? (execpt a registered SMA?)

    Thank you in advance!

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @techpat

    it seems noone is willing to chime in, I can only provide my Enduser/Partner view.

    The WAF for 60 days is a freebie and of course to this point in time you have to pay good money for that feature afterwards. There is no official word if WAF is still necessary after applying 10.2.0.5. There is no word of the impact of the vulnerability (SQL injection extracted credentials?).

    There a bunch of things to clear up, but SNWL is making no steps into that direction, plain silence.

    --Michael@BWC

  • stfstf Newbie ✭

    I am also wondering when Sonicwall is going to give us more details on this.

  • HLKNZHLKNZ Newbie ✭

    Can anyone comment as to whether Sonicwall has said anything about the data breach? Was customer information stolen?

  • stfstf Newbie ✭

    That would be a nice thing to know. I am trying to figure out why no information is being released.

  • XronosXronos Newbie ✭

    Sonicwall can protect you from APTs but they can not protect there own system for a simple blind sql injection :)

    That's all information i need.

    Just say nothing says it all...

    Just have a quick look at the end of the post from a well known security researcher and ex member of the known Lulzsec hacking group

    Sonicwall definitely have a QA problem regarding security and quality....

    Sonicwall should start to leave a comment on this post regrading their migration tasks....

  • MicahMicah SonicWall Employee
    edited February 2021

    SonicWall is announcing the availability of new firmware versions for both 10.x and 9.x code on SMA 100 series products, comprised of SMA 200, 210, 400, 410 physical appliances and the SMA 500v virtual appliance.

    The new SMA 10.2 firmware includes:

    • Code-hardening fixes identified during an internal code audit
    • Rollup of customer issue fixes not included in the Feb. 3 patch
    • General performance enhancements
    • Previous SMA 100 series zero-day fixes posted on Feb. 3

    The new 9.0 firmware includes:

    • Code-hardening fixes identified during an internal code audit

    All organizations using SMA 100 series 10.x or 9.x firmware should apply the respective patches IMMEDIATELY.

    If you already upgraded to the previous SMA 10.2.0.5-29sv firmware posted on Feb 3., you still need to upgrade to SMA 10.2.0.6-32sv as outlined in the updated KB article. If you skipped the SMA 10.2.0.5-29sv firmware update from Feb. 3, you only need to apply the latest SMA firmware.

    Please review the updated KB article for the latest firmware version numbers and follow detailed steps on how to upgrade.

    @micah - SonicWall's Self-Service Sr. Manager

  • Is there any update on whether our support case information was stolen in the internal breach and if the malicious actors stole source code?

  • TECHMTECHM Newbie ✭
    edited February 2021

    We upgraded to 10.2.0.6-32sv  as per SonicWalls advice and now none of our employees can login via NetExtender.

    We are getting User License errors saying we have none left (which is not correct) and this upgrade is the only change we made last Friday night.

    Wonderful fix!

  • stfstf Newbie ✭

    Anyone get any more information from Sonicwall on all of this?


  • BWCBWC Cybersecurity Overlord ✭✭✭

    Hi @stf

    I guess every SNWL customer got this by now, came in last night via e-Mail? Most of the initial questions remain open, but at least it seems that no data at SNWL got compromised.

    As previously communicated, SonicWall was the target of an attack by a highly sophisticated threat actor in mid-January. SonicWall’s priority in responding to the attack was identifying, resolving and providing alerts regarding potential product vulnerabilities that could impact our customers. 


    SonicWall first issued a zero-day vulnerability alert for one of our remote access products, the SMA 100 series, which we now believe was used in the attack. On Feb. 3 we released a critical patch for the vulnerability, and on Feb. 19 we issued an update with additional code-hardening for the SMA 100 series product line.  


    Based on our extensive investigation in consultation with forensic experts, there is no evidence that any other SonicWall products are impacted or that SonicWall’s source code has been modified or otherwise compromised. As a precaution, we are conducting additional third-party code reviews to supplement the standard code audits that are part of our development and PSIRT processes.


    The January incident resulted in the exfiltration of some limited internal SonicWall files. Impacted parties and relevant regulators have been notified of this event. 


    We appreciate the support and confidence shown by our partners and customers as we have worked through the stages of this event and the ensuing investigation. 


    SonicWall remains committed to delivering world-class cybersecurity solutions for our partners and customers, and we will continue to communicate the latest information and guidance for keeping your organizations safe.


    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Micah et al.

    the gifted 60 day WAF license is going to expire in a few days. Does the SMA still needs it to protect itself or are we "good" to run it without it?

    --Michael@BWC

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited April 2021
Sign In or Register to comment.