SonicWall presented an update within which it released a patch for a 0-day bug that, according to experts, was under attack by hackers.At the end of January 2021, it became known that the SonicWall company suffered from the “coordinated hacker attack” that exploited a certain vulnerability in the company’s own products.
Soon after, experts reported that a mysterious zero-day vulnerability in SonicWall’s network devices was already under “indiscriminate” attacks. At the same time, analysts were convinced that they had discovered the very same 0-day vulnerability, with which they hacked SonicWall itself.
This week, the company finally released a firmware update (10.2.0.5-29sv) for the SMA 100 series devices that were under attack.
According to the security bulletin, the patch resolves issues that could allow attackers to obtain administrator credentials and remotely execute arbitrary code on devices.
Although representatives of SonicWall still do not disclose almost any details of the vulnerability, experts from the NCC Group shed light on what is happening, having previously discovered attacks on this vulnerability. For example, on Twitter, Ollie Whitehouse and Rich Warren offer tips for detecting “authentication bypass” on a device.
Rich Warren, in turn, went even further and listed certain paths that may indicate a successful bypass of authorization in the SonicWall logs. According to him, requests for / cgi-bin / management may indicate a compromise if they were not preceded by successful requests to /__api__/v1/logon or/__api__/v1/logon//authenticate.
To check user-level bypass through a VPN client or the Internet, look for entries about / cgi-bin / sslvpnclient and / cgi-bin / portal in the access logs. If the user accessed these paths without first accessing the paths listed below, this indicates a bypass of authorization. Via VPN client: /cgi-bin/userLogin. Through the web: /__api__/v1/logon (200) and /__api__/v1/logon//authenticate.
Concluding, the data provided by the researchers indicates that the vulnerability allows remote attackers to gain access to the internal network or control interface without prior authentication.
User Review( votes)