Holes found in SonicWall god box

By

Pen tests poke holes in NSA 4500.

Update: SonicWall has patched the flaws.

Holes found in SonicWall god box

 Multiple vulnerabilities have been found in SonicWall’s Network Security Appliance (NSA) 4500.

Hugo Vázquez Caramés, chief executive of a Barcelona-based penetration testing firm, said the flaws were found during an ethical hack against a customer’s wireless network.

Caramés reported that MAC spoofing protection contained in the NSA 4500 unified threat management device was incompatible and would fail when used with SonicWall’s SonicPoint wireless access points.

Carames

Penetration testers had conducted ARP spoofing attacks against a customer’s network and found MAC spoofing protection had failed but appeared functional to administrators.

“Customers don't know they are unprotected even if they have the MAC spoofing activated,” Caramés said.

He said SonicWall had confirmed the vulnerability. SonicWall Australia was investigating the disclosure but could not confirm the report by the time of publication.

A vulnerability was also found in the NSA 4500 web administrator interface which would execute malicious JavaScript in a form labelled "Login page content".

Caramés had performed session hijacking against the NSA 4500 using brute force attacks.

He said the device generated weak HTTP session identities which were stored in the sessid cookie variable.

“From a LAN, 10 percent of all IDs can be brute forced in one day. The more administrators are logged in, the more dangerous is the scenario, and easier is the brute force attack.”

He posted the brute force attack used to hijack sessions.

GET /log.wri HTTP/1.0

 

Host: 123.123.123.123

 

Connection: close

 

User-Agent: brute-forcing

 

Cookie: SessId=111111111

SessId equals the variable which changes in each request. Host is the SonicWall IP address. A 200 HTTP response and SonicWall logs will appear if the attack was successful.

Update: SonicWall has said the "medium severity" vulnerabilities (SonicOS Management SessionID Brute Force Vulnerability and Preview of Custom Web Page Vulnerability) have been patched.

The fixes are availabe on its support website.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:
brute forcepenetration testssecuritysonicwallvulnerabilitiesxss

Sponsored Whitepapers

Protect APIs. Protect Your Business.
Protect APIs. Protect Your Business.
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
See everything. Do more.
See everything. Do more.

Events

Most Read Articles

NSW Police to embark on $126m IT overhaul

NSW Police to embark on $126m IT overhaul
CBA looks to GenAI to assist 1200 'security champions'

CBA looks to GenAI to assist 1200 'security champions'
Victoria's first government tech chief steps down

Victoria's first government tech chief steps down
SA Water plans 'once-in-a-generation' core technology uplift

SA Water plans 'once-in-a-generation' core technology uplift
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?