Articles Uncategorized SonicWall has released a patch for a 0-day bug...

SonicWall has released a patch for a 0-day bug under attack


At the end of January 2021, it became known that the SonicWall company suffered in the course of a “coordinated hacker attack” that exploited a certain vulnerability in the company’s own products. Soon after, experts reported that a mysterious zero-day vulnerability in SonicWall’s network devices was already under “indiscriminate” attacks. At the same time, analysts were convinced that they had discovered the very same 0-day vulnerability with which they hacked SonicWall itself.

This week, the company finally released a firmware update ( for the SMA 100 series devices that were under attack. The developers emphasize that all users of hardware solutions SMA 200, SMA 210, SMA 400, SMA 410 and virtual SMA 500v (Azure, AWS, ESXi, HyperV) should install this update immediately.

According to the security bulletin , the patch addresses issues that could allow attackers to obtain administrator credentials and remotely execute arbitrary code on devices.

Although representatives of SonicWall still do not disclose almost any details of the vulnerability, experts from the NCC Group shed light on what is happening, having previously discovered attacks on this vulnerability. For example, on Twitter, Ollie Whitehouse and Rich Warren offer tips for detecting “authentication bypass” on a device.

Rich Warren, in turn, went even further and listed certain paths that may indicate a successful bypass of authorization in the SonicWall logs. According to him, requests for / cgi-bin / management may indicate a compromise if they were not preceded by successful requests to / __ api __ / v1 / logon or / __ api __ / v1 / logon // authenticate.

To check user-level bypass through a VPN client or the Internet, look for entries about / cgi-bin / sslvpnclient and / cgi-bin / portal in the access logs. If the user accessed these paths without first accessing the paths listed below, this indicates a bypass of authorization. Via VPN client: / cgi-bin / userLogin. Through the web: / __ api __ / v1 / logon (200) and / __ api __ / v1 / logon // authenticate.

That is, the data provided by the researchers indicates that the vulnerability allows remote attackers to gain access to the internal network or control interface without prior authentication.

Must read

28 dangerous extensions detected for Google Chrome and Microsoft Edge

Avast experts have discovered malware hidden in at least 28 third-party...

Why Is It Important To Have Intrusion Detection And Prevention ?

This article describes why detection and prevention of burglaries...

The risk is real: attacks on OT infrastructure

Previously, many believed that attacks on an isolated OT...

Gitpaste-12: Linux bot armed with a dozen exploits

Researchers at Juniper Networks have discovered a Linux scripting...

Saferwall : Open Source Malware Analysis

Saferwall is an open source malware analysis platform. It...

Network Vulnerability Assessment ? Why Should Every Company Do it at least once a Year !

Network vulnerability assessment analyzes a variety of network issues,...

Artificial Intelligence and Cyber Security

As artificial intelligence intrudes into the world of cybersecurity,...

You might also likeRELATED
Recommended to you