United Kingdom security researchers say it took SonicWall more than two weeks to patch a vulnerability in 1.9 million SonicWall user groups, affecting some 10 million managed devices and 500,000 organizations. In a blog released by Pen Test Partners, the researchers explained that the vulnerability, an insecure direct object reference (IDOR) in the ‘partyGroupID’ API request, allowed any user to be added to any group at any organization.
"Using this degree of access, one could modify firewall rules and/or VPN access, giving oneself remote access in to any organization," says the researcher. "One could inject ransomware, or any manner of other attacks should one so wish. That’s a breach of customer networks directly as a result of their security products."
In an email statement to SC Media, SonicWall said a vulnerability in its cloud-based product registration system was quickly researched, verified and promptly patched on August 26. About two weeks earlier, SonicWall said it had identified the reported vulnerability as part of its PSIRT program (the notification from Pen Test Partners) and rapidly created a fix that underwent full testing and certification.
"SonicWall claims that at no time did it detect or become aware of any attempted exploitation of the vulnerability in the cloud-based product registration system. The company says the fix was successfully applied to the cloud system and says no action is required by end users," writes SC Media.
But Ken Munro, partner and founder of Pen Test Partners, claims otherwise, saying that after several days of prodding, Pen Test Partners reached out to Sonic Wall CEO Bill Conner, who responded two hours after being contacted. The fix was then executed just two days later – 17 days after Pen Test Partners contacted the company. “We should have not had to reach out to the CEO to get this issue accelerated,” Munro said. “There was only one part of the API that had the flaw. It should have been taken down, but instead it left the customer base exposed for at least 14 days. This patch should have been done very quickly.”
Heather Paunet, Senior Vice President of Product Management at Untangle, a San Jose, Calif.-based provider of comprehensive network security for SMBs, says, "Vulnerabilities within software applications and software services are found and reported every day at an alarming rate if you think about the potential consequences. As of September 3, 2020, there have been 107 CVE’s (Common Vulnerabilities and Exposures) reported to the National Vulnerability Database for the month of September, which sounds like a lot for being only 3 days into the month. There were a total of 1240 entries found and reported in August 2020. Each time a vulnerability is found, and subsequently blocked, software applications and services become more robust against different types of cyber-attacks because of it."
"Pen Test Partners make it their goal to test and evaluate software applications and services to see if they can find ways to access data, access user accounts, and find ways into systems that could be used to disable, or steal data from those services. Many software vendors employ the services of Pen Test Partners specifically to find those holes before anyone else can find them," explains Paunet.
Ultimately, once Pen Test Partners reports a vulnerability, vendors, such as SonicWall in this case, need to assess the issue, validate that it’s a real issue in the context of how it was reported, quickly assess the effects it will have on users of their software, and make a plan to address it, says Paunet. "The response of any vendor depends on that assessment. In this case, the issue was that any user, no matter what their privileges, could be elevated to have full administrative privileges to make changes to the SonicWall systems. Any such user would then have control over how a corporate network behaves, including who could get access to the network. The worst case examples are that a malicious user with these privileges could open up the network completely by changing firewall rules, allowing for even the most basic of data breaches to occur."
When assessing this vulnerability, SonicWall would be taking into account how likely this vulnerability was to be discovered, whether the vulnerability had been made public, and whether the fix that they applied would have any unforeseen consequences, adds Paunet. "Ideally, fixing any data breach as soon as possible is the best path to take. However, there are other considerations when making a lightning fast code modification. Any time code is modified, running a full regression test will make sure that everything continues to work as intended. In the case of SonicWall’s cloud management system, foregoing a full Quality Assurance test cycle could be just as dangerous with its own side effects, similar to if this identified vulnerability was left unchecked. Side effects of not fully going through regression tests could also result in taking down, exposing access to, or breaking a customer’s network."
"While we don’t know the internal discussions that happened at SonicWall, as a security vendor themselves, they had to have considered those implications when putting a timeline on their fix. Essentially, as soon as the vulnerability was discovered, and made known, it became a race against time between hackers finding and using the vulnerability to their advantage, and SonicWall closing it off," Paunet concludes.
Rick Moy, Vice President of Marketing at Tempered Networks, a Seattle, Wash.-based network security provider, notes, "This is a good case for organizations not rolling their own authentication and authorization code without serious justification and investment. Kudos to the CEO for getting it and acting quickly. Hopefully, this will be a learning experience that spreads the sense of urgency throughout the organization. With that being said, in 2020, an indirect secure object reference vulnerability (IDOR) on a cloud security service is hard to justify since it’s been on the OWASP Top 10 since 2007. As security vendors, we must hold ourselves to a higher standard."