SonicWall left users exposed to vulnerable API for 14 days

By on
SonicWall left users exposed to vulnerable API for 14 days

LinkedIn poke at chief executive accelerated fix.

A researcher who found a serious vulnerability in SonicWall's cloud management application programming interface criticised the vendor for leaving the service up and running for a fortnight while it worked out a fix.

Vangelis Stykas of UK-based Pentest Partners discovered an insecure direct object reference vulnerability in SonicWall's user management API endpoint.

An attacker could manipulate a parameter in the API call, and add themselves to any account at any organisation via the SonicWall cloud management system at mysonicwall.com

Stykas demonstrated how this could have resulted in a trivial compromise of around 500,000 organisations, 2 million user groups and some 10 million SonicWall devices.

The researcher reported the bug to SonicWall's product security incident report team, and urged the company to take down the affected service to reduce the risk to customers.

However, while SonicWall validated Stykas' report, the company kept the vulnerable service online for 14 days while it developed a fix for the bug.

Stykas heard nothing from the company for days after the report, and no fix was forthcoming for the vulnerability, but a colleague helped escalate the issue to SonicWall chief executive Bill Conner via LinkedIn, who in turn passed on the message to a vice president at the security vendor.

This led to the vulnerability being fixed within 48 hours.

In a statement, SonicWall said that exploitation of the vulnerability required an attacker to obtain an account owner's specific tenant ID.

These, SonicWall said, are fully protected and not publicly available. 

An attacker would then need to associate a new user with the existing account owner's tenant ID.

Stykas called this "inaccurate and misleading" and said that as his company found the tenant IDs, they were both unprotected and publicly available.

Furthermore, the tenant IDs are sequntially numbered which would allow a hacker to work them out.

"What makes the difference between a cool vendor and an uncool vendor is how they deal with the report. In our opinion SonicWall didn’t deal with this well and then knowingly exposed every single one of their cloud-connected customers to remote pwnage for 14 days," Stykas said.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
dell security sonicwall vangelis stykas

Sponsored Whitepapers

Develop a resiliency strategy that integrates risk analysis & continuity management
Develop a resiliency strategy that integrates risk analysis & continuity management
IBM Maximo: Manage any asset, anytime, any place with mobile EAM
IBM Maximo: Manage any asset, anytime, any place with mobile EAM
Optimise your operations with APM and AI-Powered insights
Optimise your operations with APM and AI-Powered insights
Forrester Study: Understand the total economic impact of using IBM Cloud Pak™ for Data
Forrester Study: Understand the total economic impact of using IBM Cloud Pak™ for Data
Technology skill development: The strategy for building better teams
Technology skill development: The strategy for building better teams

Events

Most Read Articles

Services Australia shifts most Centrelink payments to SAP S/4 HANA

Services Australia shifts most Centrelink payments to SAP S/4 HANA
Any Android security app is better than Google Play Protect

Any Android security app is better than Google Play Protect
Toll Group starts to scale out intelligent automation

Toll Group starts to scale out intelligent automation
Square to buy Australia's Afterpay for $39 billion

Square to buy Australia's Afterpay for $39 billion

Log In

Email:
Password:
  |  Forgot your password?