Update: SonicWall has patched the flaws.
Multiple vulnerabilities have been found in SonicWall’s Network Security Appliance (NSA) 4500.
Hugo Vázquez Caramés, chief executive of a Barcelona-based penetration testing firm, said the flaws were found during an ethical hack against a customer’s wireless network.
Penetration testers had conducted ARP spoofing attacks against a customer’s network and found MAC spoofing protection had failed but appeared functional to administrators.
“Customers don't know they are unprotected even if they have the MAC spoofing activated,” Caramés said.
He said SonicWall had confirmed the vulnerability. SonicWall Australia was investigating the disclosure but could not confirm the report by the time of publication.
Caramés had performed session hijacking against the NSA 4500 using brute force attacks.
He said the device generated weak HTTP session identities which were stored in the sessid cookie variable.
“From a LAN, 10 percent of all IDs can be brute forced in one day. The more administrators are logged in, the more dangerous is the scenario, and easier is the brute force attack.”
He posted the brute force attack used to hijack sessions.
GET /log.wri HTTP/1.0
SessId equals the variable which changes in each request. Host is the SonicWall IP address. A 200 HTTP response and SonicWall logs will appear if the attack was successful.
Update: SonicWall has said the "medium severity" vulnerabilities (SonicOS Management SessionID Brute Force Vulnerability and Preview of Custom Web Page Vulnerability) have been patched.
The fixes are availabe on its support website.