SonicWall left users exposed to vulnerable API for 14 days

By on
SonicWall left users exposed to vulnerable API for 14 days

LinkedIn poke at chief executive accelerated fix.

A researcher who found a serious vulnerability in SonicWall's cloud management application programming interface criticised the vendor for leaving the service up and running for a fortnight while it worked out a fix.

Vangelis Stykas of UK-based Pentest Partners discovered an insecure direct object reference vulnerability in SonicWall's user management API endpoint.

An attacker could manipulate a parameter in the API call, and add themselves to any account at any organisation via the SonicWall cloud management system at mysonicwall.com

Stykas demonstrated how this could have resulted in a trivial compromise of around 500,000 organisations, 2 million user groups and some 10 million SonicWall devices.

The researcher reported the bug to SonicWall's product security incident report team, and urged the company to take down the affected service to reduce the risk to customers.

However, while SonicWall validated Stykas' report, the company kept the vulnerable service online for 14 days while it developed a fix for the bug.

Stykas heard nothing from the company for days after the report, and no fix was forthcoming for the vulnerability, but a colleague helped escalate the issue to SonicWall chief executive Bill Conner via LinkedIn, who in turn passed on the message to a vice president at the security vendor.

This led to the vulnerability being fixed within 48 hours.

In a statement, SonicWall said that exploitation of the vulnerability required an attacker to obtain an account owner's specific tenant ID.

These, SonicWall said, are fully protected and not publicly available. 

An attacker would then need to associate a new user with the existing account owner's tenant ID.

Stykas called this "inaccurate and misleading" and said that as his company found the tenant IDs, they were both unprotected and publicly available.

Furthermore, the tenant IDs are sequntially numbered which would allow a hacker to work them out.

"What makes the difference between a cool vendor and an uncool vendor is how they deal with the report. In our opinion SonicWall didn’t deal with this well and then knowingly exposed every single one of their cloud-connected customers to remote pwnage for 14 days," Stykas said.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
dell security sonicwall vangelis stykas

Most Read Articles

'Zerologon' Windows domain admin bypass exploit released

'Zerologon' Windows domain admin bypass exploit released
Service NSW's in-app contact tracing tool goes live statewide

Service NSW's in-app contact tracing tool goes live statewide
Macquarie University brings Accenture onboard for HR transformation

Macquarie University brings Accenture onboard for HR transformation
Telstra to block Services Australia SMS phishing scams

Telstra to block Services Australia SMS phishing scams
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

A Migration Guide For Businesses Switching Mobile Device Management Solutions
A Migration Guide For Businesses Switching Mobile Device Management Solutions
Plan your post-COVID security strategy
Plan your post-COVID security strategy
The Executive's Guide To The Future Of Work
The Executive's Guide To The Future Of Work
Government Digital Transformation Requires Customer Obsession
Government Digital Transformation Requires Customer Obsession
Master the fundamentals of AWS cost efficiency
Master the fundamentals of AWS cost efficiency

Events

Log In

Username / Email:
Password:
  |  Forgot your password?