fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing

        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing

        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing

        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing

        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training

        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing

        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review

        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention

        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise

        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle

        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

I'VE BEEN BREACHED

SonicWall Fixes Actively Exploited SMA 100 Zero-day Vulnerability

SonicWall Fixes Actively Exploited SMA 100 Zero-day Vulnerability

SonicWall has released a patch for the zero-day vulnerability used in attacks against the SMA 100 series of remote access appliances.

On January 22nd, SonicWall disclosed that their internal systems were attacked using a zero-day vulnerability in the SMA 100 series of SonicWall networking devices.

A little over a week later, cybersecurity firm NCC Group discovered a zero-day vulnerability for the SonicWall SMA 100 that was actively being exploited in the wild.

SonicWall later confirmed the zero-day vulnerability and announced that owners could use the built-in Web Application Firewall (WAF) to neutralize the vulnerability.

As WAF requires a paid license, SonicWall has added a free 60 day WAF license to all registered SMA 100 series devices with 10.X code.

Patch released to fix the zero-day vulnerability

Also Read: A Look at the Risk Assessment Form Singapore Government Requires

Today, SonicWall has released an SMA 100 series firmware 10.2.0.5-29sv update that fixes the actively exploited zero-day vulnerability in the SMA 100 series of devices.

“All SMA 100 series users must apply this patch IMMEDIATELY to avoid potential exploitation,” SonicWall says.

Impacted SMA 100 devices running affected 10.x firmware and requiring this critical patch include:

  • Physical Appliances: SMA 200, SMA 210, SMA 400, SMA 410
  • Virtual Appliances: SMA 500v (Azure, AWS, ESXi, HyperV)

The patch addresses security bugs tracked under the SNWLID-2021-0001 advisory. The vulnerabilities allow attackers to gain admin credentials and remotely execute arbitrary code on successfully exploited devices.

The recommended update procedure for all customers using SMA 10.x firmware requires you to:

  1. Upgrade to SMA 10.2.0.5-29sv firmware, available from www.mysonicwall.com
  2. Reset the passwords for any users who may have logged in to the device via the web interface. 
  3. Enable multifactor authentication (MFA) as a safety measure.
    • MFA has an invaluable safeguard against credential theft and is a key measure of good security posture.
    • MFA is effective whether it is enabled on the appliance directly or on the directory service in your organization.

Admins who cannot immediately apply this patch should enable the Web Application Firewall (WAF) until they are ready to deploy the patch on affected devices.

Zero-day details hinted

At this time, SonicWall has not provided any details on the vulnerability, but tweets from NCC Group’s Ollie Whitehouse and Rich Warren indicate that it allows remote access to the management interface without authorization.

When asked on Twitter how SonicWall admins can detect if the vulnerability has been exploited on their devices, Whitehouse and Warren provide tips on detecting an “auth bypass” on the device.

“It is hard to detail what to look for without making it too easy as we saw with F5 and Citrix. Looking for unexpected management interface access is the indicator at the moment,” tweeted Whitehouse on detecting exploitation of SonicWall devices.

NCC Group’s Rich Warren went a bit further and listed specific paths in a SonicWall log that could indicate a successful exploit of the authorization bypass.

Also Read: How to Send Mass Email Without Showing Addresses: 2 Great Workarounds

For Sonicwall users performing logging, Warren states that they can look for requests to ‘/cgi-bin/management’ that do not have a previous successful request to ‘/__api__/v1/logon’ or ‘/__api__/v1/logon//authenticate.’

If these requests do exist, then it would indicate an authorization bypass to the management interface.

To check for user-level bypass via the VPN client or the web, Warren says admins should look for access log entries to:

/cgi-bin/sslvpnclient
/cgi-bin/portal

If a user accessed those paths without also previously accessing the following paths, it indicates a user-level authorization bypass.

Via VPN client:

/cgi-bin/userLogin (for VPN client)

Via web:

/__api__/v1/logon (200)
/__api__/v1/logon//authenticate

While this does not explain in detail how the vulnerability works, this information indicates that a core component, or the vulnerability itself, allows remote attackers to gain access to the internal network or management interface without needing to authenticate first.

0 Comments

Let us help you out.

Grab your free consultation NOW!

Privacy Ninja

Data Protection​

Cybersecurity

Support

Company

Locations

Singapore

7 Temasek Boulevard
#12-07, Suntec Tower One
Singapore 038987

Thailand

The Royal Place 1
2, 2/399 Mahatlek Luang 1 Alley, Lumphini, Pathum Wan, Bangkok 10330, Thailand



email-icon
Facebook Twitter Linkedin Youtube

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
TALK TO US
×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

× Chat with us