Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Update: SonicWall has patched the flaws.
Multiple vulnerabilities have been found in SonicWall’s Network Security Appliance (NSA) 4500.
Hugo Vázquez Caramés, chief executive of a Barcelona-based penetration testing firm, said the flaws were found during an ethical hack against a customer’s wireless network.
Caramés reported that MAC spoofing protection contained in the NSA 4500 unified threat management device was incompatible and would fail when used with SonicWall’s SonicPoint wireless access points.
Penetration testers had conducted ARP spoofing attacks against a customer’s network and found MAC spoofing protection had failed but appeared functional to administrators.
“Customers don't know they are unprotected even if they have the MAC spoofing activated,” Caramés said.
He said SonicWall had confirmed the vulnerability. SonicWall Australia was investigating the disclosure but could not confirm the report by the time of publication.
A vulnerability was also found in the NSA 4500 web administrator interface which would execute malicious JavaScript in a form labelled "Login page content".
Caramés had performed session hijacking against the NSA 4500 using brute force attacks.
He said the device generated weak HTTP session identities which were stored in the sessid cookie variable.
“From a LAN, 10 percent of all IDs can be brute forced in one day. The more administrators are logged in, the more dangerous is the scenario, and easier is the brute force attack.”
He posted the brute force attack used to hijack sessions.
GET /log.wri HTTP/1.0 Host: 123.123.123.123 Connection: close User-Agent: brute-forcing Cookie: SessId=111111111
GET /log.wri HTTP/1.0
Host: 123.123.123.123
Connection: close
User-Agent: brute-forcing
Cookie: SessId=111111111
SessId equals the variable which changes in each request. Host is the SonicWall IP address. A 200 HTTP response and SonicWall logs will appear if the attack was successful.
Update: SonicWall has said the "medium severity" vulnerabilities (SonicOS Management SessionID Brute Force Vulnerability and Preview of Custom Web Page Vulnerability) have been patched.
The fixes are availabe on its support website.
Copyright © SC Magazine, Australia
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.
