SonicWall left users exposed to vulnerable API for 14 days

By on
SonicWall left users exposed to vulnerable API for 14 days

LinkedIn poke at chief executive accelerated fix.

A researcher who found a serious vulnerability in SonicWall's cloud management application programming interface criticised the vendor for leaving the service up and running for a fortnight while it worked out a fix.

Vangelis Stykas of UK-based Pentest Partners discovered an insecure direct object reference vulnerability in SonicWall's user management API endpoint.

An attacker could manipulate a parameter in the API call, and add themselves to any account at any organisation via the SonicWall cloud management system at mysonicwall.com

Stykas demonstrated how this could have resulted in a trivial compromise of around 500,000 organisations, 2 million user groups and some 10 million SonicWall devices.

The researcher reported the bug to SonicWall's product security incident report team, and urged the company to take down the affected service to reduce the risk to customers.

However, while SonicWall validated Stykas' report, the company kept the vulnerable service online for 14 days while it developed a fix for the bug.

Stykas heard nothing from the company for days after the report, and no fix was forthcoming for the vulnerability, but a colleague helped escalate the issue to SonicWall chief executive Bill Conner via LinkedIn, who in turn passed on the message to a vice president at the security vendor.

This led to the vulnerability being fixed within 48 hours.

In a statement, SonicWall said that exploitation of the vulnerability required an attacker to obtain an account owner's specific tenant ID.

These, SonicWall said, are fully protected and not publicly available. 

An attacker would then need to associate a new user with the existing account owner's tenant ID.

Stykas called this "inaccurate and misleading" and said that as his company found the tenant IDs, they were both unprotected and publicly available.

Furthermore, the tenant IDs are sequntially numbered which would allow a hacker to work them out.

"What makes the difference between a cool vendor and an uncool vendor is how they deal with the report. In our opinion SonicWall didn’t deal with this well and then knowingly exposed every single one of their cloud-connected customers to remote pwnage for 14 days," Stykas said.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
dell security sonicwall vangelis stykas

Sponsored Whitepapers

The top 5 tech trends to deliver business outcomes
The top 5 tech trends to deliver business outcomes
10 reasons why businesses need to invest in cloud security training
10 reasons why businesses need to invest in cloud security training
Your guide to application security solutions
Your guide to application security solutions
State of Software Security: Open Source Edition
State of Software Security: Open Source Edition
Five questions to ask before you upgrade to a SIEM solution
Five questions to ask before you upgrade to a SIEM solution

Events

Most Read Articles

Infosys scores another $40m for Centrelink payments engine build

Infosys scores another $40m for Centrelink payments engine build
Aussie Broadband switches mobile allegiance from Telstra to Optus

Aussie Broadband switches mobile allegiance from Telstra to Optus
Aussie Broadband brings in NBN users chasing a better experience

Aussie Broadband brings in NBN users chasing a better experience
Bosch, Microsoft join forces to develop vehicle software platform

Bosch, Microsoft join forces to develop vehicle software platform
You must be a registered member of iTnews to post a comment.
| Register

Log In

Username / Email:
Password:
  |  Forgot your password?