A researcher who found a serious vulnerability in SonicWall’s cloud management application programming interface criticised the vendor for leaving the service up and running for a fortnight while it worked out a fix.
Vangelis Stykas of UK-based Pentest Partners discovered an insecure direct object reference vulnerability in SonicWall’s user management API endpoint.
An attacker could manipulate a parameter in the API call, and add themselves to any account at any organisation via the SonicWall cloud management system at mysonicwall.com
Stykas demonstrated how this could have resulted in a trivial compromise of around 500,000 organisations, 2 million user groups and some 10 million SonicWall devices.
The researcher reported the bug to SonicWall’s product security incident report team, and urged the company to take down the affected service to reduce the risk to customers.
However, while SonicWall validated Stykas’ report, the company kept the vulnerable service online for 14 days while it developed a fix for the bug.
Stykas heard nothing from the company for days after the report, and no fix was forthcoming for the vulnerability, but a colleague helped escalate the issue to SonicWall chief executive Bill Conner via LinkedIn, who in turn passed on the message to a vice president at the security vendor.
This led to the vulnerability being fixed within 48 hours.
In a statement, SonicWall said that exploitation of the vulnerability required an attacker to obtain an account owner’s specific tenant ID.
These, SonicWall said, are fully protected and not publicly available.
An attacker would then need to associate a new user with the existing account owner’s tenant ID.
Stykas called this “inaccurate and misleading” and said that as his company found the tenant IDs, they were both unprotected and publicly available.
Furthermore, the tenant IDs are sequntially numbered which would allow a hacker to work them out.
“What makes the difference between a cool vendor and an uncool vendor is how they deal with the report. In our opinion SonicWall didn’t deal with this well and then knowingly exposed every single one of their cloud-connected customers to remote pwnage for 14 days,” Stykas said.