At the end of January 2021, it became known that the SonicWall company suffered in the course of a “coordinated hacker attack” that exploited a certain vulnerability in the company’s own products. Soon after, experts reported that a mysterious zero-day vulnerability in SonicWall’s network devices was already under “indiscriminate” attacks. At the same time, analysts were convinced that they had discovered the very same 0-day vulnerability with which they hacked SonicWall itself.
This week, the company finally released a firmware update (10.2.0.5-29sv) for the SMA 100 series devices that were under attack. The developers emphasize that all users of hardware solutions SMA 200, SMA 210, SMA 400, SMA 410 and virtual SMA 500v (Azure, AWS, ESXi, HyperV) should install this update immediately.
According to the security bulletin , the patch addresses issues that could allow attackers to obtain administrator credentials and remotely execute arbitrary code on devices.
Although representatives of SonicWall still do not disclose almost any details of the vulnerability, experts from the NCC Group shed light on what is happening, having previously discovered attacks on this vulnerability. For example, on Twitter, Ollie Whitehouse and Rich Warren offer tips for detecting “authentication bypass” on a device.
Rich Warren, in turn, went even further and listed certain paths that may indicate a successful bypass of authorization in the SonicWall logs. According to him, requests for / cgi-bin / management may indicate a compromise if they were not preceded by successful requests to / __ api __ / v1 / logon or / __ api __ / v1 / logon // authenticate.
To check user-level bypass through a VPN client or the Internet, look for entries about / cgi-bin / sslvpnclient and / cgi-bin / portal in the access logs. If the user accessed these paths without first accessing the paths listed below, this indicates a bypass of authorization. Via VPN client: / cgi-bin / userLogin. Through the web: / __ api __ / v1 / logon (200) and / __ api __ / v1 / logon // authenticate.
That is, the data provided by the researchers indicates that the vulnerability allows remote attackers to gain access to the internal network or control interface without prior authentication.