Android malware programmed to send massive amounts of messages ( August 7, 2015)

/in /by

DellSonicWALL Threats Research team received reports of an Android trojan that sends a large number of messages once it infects the victims mobile device. Regardless of the number of reports and incidents happening daily about malware in the Android ecosystem there are security measures in place that help in minimizing the damage that can be caused by such malicious entities. A useful security feature built-in Android shines in this case as it thwarts this trojan from executing as desired by the malware writers.

Infection Cycle

During installation the trojan requests just a single permission:

  • SEND_SMS

Based on the permission it is easy to judge that this malicious apk might try to send SMS from the mobile device it infects. The code for this app easily verifies this suspicion:

Once the user clicks the app post installation, we get the following screen:

Even if the user clicks the “Begin” button without providing any required codes the app tries to send 9000 messages to a specific hardcoded number 138[Removed]. But it is stopped in its tracks by an Android security feature that brings a popup:

Google has a security feature that is in place just for apps like this that might try to misuse SMS for monetary gains. If an app tries to send more than 30 messages within 30 minutes then the user sees a popup message that warns him about this activity. He can choose to ‘allow’ or ‘deny’ the app from doing so further. The malicious app that we analyzed mentions that it will send text messages and the user will be prompted with a popup and when that happens click “Always Allow”. So the app is aware about the security feature that might stop it from sending a flood of messages but it gives a false sense of security to the user by telling him that “it’s okay, just allow this behavior”.

User reaction has been mixed about this feature, some like it considering it to be a good security feature that prevents SMS related trojans from spiking up the users monthly usage bill. But for some this can be inconvenient as they see the popup while using SMS in a legitimate way. While there is no direct way to change the imposed limit, for rooted phones there are multiple solutions available that range from custom apps to multiple DIY techniques on popular Android forums.

There is no doubt in the fact that its always good to have security measures in place to thwart unforeseen threats, how these measures affect usability is a matter of opinion. But its just a bit more assuring to know that there is a safety net for times when things go wrong.

Dell SonicWALL provides protection against this threat via the following signatures:

  • GAV: AndroidOS.SMSSend.NTH (Trojan)
  • GAV: AndroidOS.SMSSend.NTH_2 (Trojan)

APK Details:

  • Package Name: com.mycompany.mtgyapp
  • MD5: 0302304134196d54d675760e620bd035

Microsoft Security Bulletin Coverage (August 11, 2015)

/in /by

Dell SonicWALL has analyzed and addressed Microsoft’s security advisories for the month of August, 2015. A list of issues reported, along with Dell SonicWALL coverage information are as follows:

MS15-079 Cumulative Security Update fro Internet Explorer

  • CVE-2015-2423 Unsafe Command Line Parameter Passing Vulnerability
    This is a local vulnerability.
  • CVE-2015-2441 Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2442 Memory Corruption Vulnerability
    IPS: 11076 “Internet Explorer Memory Corruption Vulnerability (MS15-079) 1”
  • CVE-2015-2443 Memory Corruption Vulnerability
    IPS: 11077 “Internet Explorer Memory Corruption Vulnerability (MS15-079) 2”
  • CVE-2015-2444 Memory Corruption Vulnerability
    IPS: 11078 “Internet Explorer Memory Corruption Vulnerability (MS15-079) 3”
  • CVE-2015-2445 ASLR Bypass
    There are no known exploits in the wild.
  • CVE-2015-2446 Memory Corruption Vulnerability
    IPS: 11079 “Internet Explorer Memory Corruption Vulnerability (MS15-079) 4”
  • CVE-2015-2447 Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2448 Memory Corruption Vulnerability
    IPS: 11080 “Internet Explorer Memory Corruption Vulnerability (MS15-079) 5”
  • CVE-2015-2449 ASLR Bypass
    There are no known exploits in the wild.
  • CVE-2015-2450 Memory Corruption Vulnerability
    IPS: 11081 “Internet Explorer Memory Corruption Vulnerability (MS15-079) 6”
  • CVE-2015-2451 Memory Corruption Vulnerability
    IPS: 11083 “Internet Explorer Memory Corruption Vulnerability (MS15-079) 8”
  • CVE-2015-2452 Memory Corruption Vulnerability
    IPS: 11082 “Internet Explorer Memory Corruption Vulnerability (MS15-079) 7”

MS15-080 Vulnerabilities in Microsoft Graphics Component Could Allow Remote Code Execution

  • CVE-2015-2431 Microsoft Office Graphics Component Remote Code Execution Vulnerability
    SPY: 4276 “Malformed-File doc.MP.30”
  • CVE-2015-2432 OpenType Font Parsing Vulnerability
    SPY: 3148 “Malformed-File otf.MP.12”
  • CVE-2015-2433 Kernel ASLR Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2435 TrueType Font Parsing Vulnerability
    SPY: 4232 “Malformed-File ttf.MP.4”
  • CVE-2015-2453 Windows CSRSS Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2454 Windows KMD Security Feature Bypass Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2455 TrueType Font Parsing Vulnerability
    SPY: 4209 “Malformed-File ttf.MP.3”
  • CVE-2015-2456 TrueType Font Parsing Vulnerability
    SPY: 3149 ” Malformed-File otf.MP.13 “
  • CVE-2015-2458 OpenType Font Parsing Vulnerability
    SPY: 3150 ” Malformed-File otf.MP.14 “
  • CVE-2015-2459 OpenType Font Parsing Vulnerability
    SPY: 3151 ” Malformed-File otf.MP.15 “
  • CVE-2015-2460 OpenType Font Parsing Vulnerability
    SPY: 3152 ” Malformed-File otf.MP.16 “
  • CVE-2015-2461 OpenType Font Parsing Vulnerability
    SPY: 3153 ” Malformed-File otf.MP.17 “
  • CVE-2015-2462 OpenType Font Parsing Vulnerability
    SPY: 3157 ” Malformed-File otf.MP.20 “
  • CVE-2015-2463 TrueType Font Parsing Vulnerability
    SPY: 3155 ” Malformed-File otf.MP.18 “
  • CVE-2015-2464 TrueType Font Parsing Vulnerability
    SPY: 3156 ” Malformed-File otf.MP.19 “
  • CVE-2015-2465 Windows Shell Security Feature Bypass Vulnerability
    There are no known exploits in the wild.

MS15-081 Vulnerability in Microsoft Office Could Allow Remote Code Execution

  • CVE-2015-1642 Microsoft Office Memory Corruption Vulnerability
    SPY: 4366 “Malformed-File docx.MP.5”
  • CVE-2015-24
    23     Unsafe Command Line Parameter Passing Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2466 Microsoft Office Remote Code Execution Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2467 Microsoft Office Memory Corruption Vulnerability
    SPY: 3159 “Malformed-File doc.MP.25”
  • CVE-2015-2468 Microsoft Office Memory Corruption Vulnerability
    SPY: 3160 “Malformed-File doc.MP.26”
  • CVE-2015-2469 Microsoft Office Memory Corruption Vulnerability
    SPY: 3365 “Malformed-File doc.MP.27”
  • CVE-2015-2470 Microsoft Office Integer Underflow Vulnerability
    SPY: 4193 ” Malformed-File doc.MP.28″
  • CVE-2015-2477 Microsoft Office Memory Corruption Vulnerability
    SPY: 4195 “Malformed-File doc.MP.29”

MS15-082 Vulnerabilities in RDP Could Allow Remote Code Execution

  • CVE-2015-2472 Remote Desktop Session Host Spoofing Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2473 Remote Desktop Protocol DLL Planting Remote Code Execution Vulnerability
    There are no known exploits in the wild.

MS15-083 Vulnerabilities in Server Message Block Could Allow Remote Code Execution

  • CVE-2015-2474 Server Message Block Memory Corruption Vulnerability
    There are no known exploits in the wild.

MS15-084 Vulnerability in XML Core Services Could Allow Elevation of Privilege

  • CVE-2015-2434 MSXML Information Disclosure Vulnerability
    IPS: 5770 “Downgraded TLS Traffic”
  • CVE-2015-2440 MSXML Information Disclosure Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2471 MSXML Information Disclosure Vulnerability
    IPS: 5770 “Downgraded TLS Traffic”

MS15-085 Vulnerability in Mount Manager Could Allow Elevation of Privilege

  • CVE-2015-1769 Mount Manager Elevation of Privilege Vulnerability
    This is a local vulnerability.

MS15-086 Vulnerability in System Center Operations Manager Could Allow Elevation of Privilege

  • CVE-2015-2420 System Center Operations Manager Web Console XSS Vulnerability
    There are no known exploits in the wild.

MS15-087 Vulnerability in UDDI Services Could Allow Elevation of Privilege

  • CVE-2015-2475 UDDI Services Could Allow Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS15-088 Unsafe Command Line Parameter Passing Could Allow Information Disclosure

  • CVE-2015-2423 Unsafe Command Line Parameter Passing Vulnerability
    This is a local vulnerability.

MS15-089 Vulnerabilities in WebDAV Could Allow Information Disclosure

  • CVE-2015-2476 WebDAV Client Information Disclosure Vulnerability
    IPS: 5770 “Downgraded TLS Traffic”

MS15-090 Vulnerability in Microsoft Windows Could Allow Elevation of Privilege

  • CVE-2015-2428 Windows Object Manager Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2429 Windows Registry Elevation of Privilege Vulnerability
    This is a local vulnerability.
  • CVE-2015-2430 Windows Filesystem Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

MS15-091 Cumulative Security Update for Microsoft Edge

  • CVE-2015-2441 Memory Corruption Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2442 Memory Corruption Vulnerability
    IPS: 11076 “Internet Explorer Memory Corruption Vulnerability (MS15-079) 1”
  • CVE-2015-2446 Memory Corruption Vulnerability
    IPS: 11079 “Internet Explorer Memory Corruption Vulnerability (MS15-079) 4”
  • CVE-2015-2449 ASLR Bypass
    There are no known exploits in the wild.

MS15-092 Vulnerabilities in .NET Framework Could Allow Elevation of Privilege

  • CVE-2015-2479 RyuJIT Optimiza
    tion Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2480 RyuJIT Optimization Elevation of Privilege Vulnerability
    There are no known exploits in the wild.
  • CVE-2015-2481 RyuJIT Optimization Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

Is Your Existing Security Solution Able to Protect Against Emerging Threats

/0 Comments/in /by

Many deployed security solutions rely on a number of legacy products to provide layered security services. In addition, most customers are without security products that perform deep packet inspection (DPI) or SSL/TLS (DPI-SSL) inspection. This combination is leaving you vulnerable at a time when the complexity of cyber security attacks and the proliferation of malware is exploding.

Legacy security stacks may not be up to the task of providing up-to-date protection, and are subject to limitations imposed by the humans that manage them. The individual components of each stack must be configured, updated, licensed and managed often independently using different tools by different people. This tends to create gaps between layers that are easily exploited by cyber criminals waiting to pounce. Furthermore, the security stack is only as good as its lowest common denominator, security is often compromised for performance or cost.

Industry analysts show that the market is moving towards next-generation firewalls (NGFW), but wholesale replacement of you current security stack with a NGFW involves risk in both migration and implementation. In addition, a default choice of incumbent vendor to mitigate this risk may not deliver the desired functionality to meet emerging security requirements. Security is one place where the incumbent vendor may not always be good enough.

In addition to the move towards NGFW, an emerging mega-trend is the proliferation of SSL/TLS (https) encrypted websites (and subsequent encrypted data) due to moves by Google and others driving this change. Just recently the U.S. Office of Management and Budget mandated the encryption of all U.S. Government websites. The percentage of external encrypted traffic in your network is about to explode. Is your current solution able to handle this massive change?

SonicWall SuperMassive Next-Gen Firewall 9000 Series

SonicWall has a differentiated solution to these problems that mitigates risk while allowing you to implement a NGFW security stack and address the scalability requirements of increasing encrypted traffic, while keeping costs low and removing the need to choose performance over security. Our Firewall Sandwich architecture can be deployed transparently behind existing security solutions and add full DPI security services including application control, intrusion prevention, anti-malware, content filtering and SSL/TLS inspection. This scale-out architecture allows up to 16 Dell SonicWall SuperMassive devices to perform DPI inspection in parallel, supporting up to 160Gbps of DPI and 80Gbps of SSL-DPI. Users can start small and scale as needed, leveraging existing devices and removing the need to retire hardware prematurely for performance reasons directly impacting the costs of providing security. Every SonicWall device has the same security protections and up to the minute updates from the Dell SonicWall GRID (Global Response Intelligent Defense) network of 1.1m sensors collecting real-time threat intelligence.

Compared to alternatives, the Firewall Sandwich (FWS) has these advantages:

  • Unlike fixed form factor systems, FWS can scale beyond single unit or HA pair performance
  • Unlike chassis based systems, FWS has the economics of fixed form factor systems and can be deployed in a pay-as-you-grow model
  • FWS provides 1+n redundancy vs. 1+1 in traditional fixed-form factor or chassis based implementations
  • Performance and scalability are linear in FWS vs. fixed in single or HA deployments
  • As units are added to the FWS, cost per protected megabit drops

Using this architecture, SonicWall has helped many customers extend the life of their current security products, minimize risk of adopting DPI security services and scale to meet increasing demands while keeping the costs of providing greater security in check.

Android malware with hidden message for Security Analysts (June 19, 2015)

/in /by

In today’s internet age malware as a threat has gained immense visibility and awareness about its dangers. Many companies have a budget allocated to safeguard their products and services against such threats. In an effort to thwart a fast spreading malware, it generally goes through static and dynamic inspection that may be automated or done manually by security researchers to understand it and provide remediation for the same.

Sometimes malware writers hide messages meant to be seen by researchers who dissect such malicious entities as these messages are only visible to prying eyes. Dell SonicWALL Threats Research team received reports of such a self-aware Android locker malware that winks at researchers with a message in the code.

Infection Cycle

The Android Package (apk) asks for following permissions during installation:

  • System Alert Window
  • Receive SMS
  • Send SMS
  • Receive boot completed
  • Internet
  • Access network state

Upon installation once the app is started we see a lockscreen as below:

This lockscreen hinders the user from doing any activity on the device as the buttons and touch feedback do not perform any action, the only thing staring back at the user is the lockscreen. This is where malware writers usually demand for ransom, generally money, in exchange of liberating the device from the lockscreen.

In this case however we do not see any such demands, the message simply states that the device can be ‘unlocked’ if the right password is entered. As per the message on the lockscreen the trojan generates a serial number for every infected device (9476849 in our case).

Once the lockscreen sets in, an SMS is sent to 183[removed] in the background to indicate successful infection on a device. This is where the SMS Send and Receive permission is used by the app.

Lockscreen malware that display a ransom message covering the entire screen have been on the rise for both mobile devices as well as Windows machines, detailed analysis for some them can be seen on our blogs. But this malware for Android devices has a special message for security analysts who analyze it:

An Android application is made up of compiled Java code, in order to view the code and perform a static analysis of the application it has to be decompiled. This is a common practice used in Android malware analysis and the malware writers in this case have added a message for security analysts that try to decompile the application.

There have been trojans in the past that lock the device and encrypt all the files present on it in exchange of money as highlighted in one of our previous blogs. We did not see any such demands in this case and this trojan is essentially just a locker, it does not encrypt the files on the device. It wont be surprising if additional features are added to this trojan in the time to come.

Getting rid of the lockscreen is quiet easy in this case if one follows the steps listed below:

  • Unlock Developer mode by going in Settings > About Phone > Build number – Tap it 7 times
  • Enable USB debugging from Settings > Developer Options
  • Connect the device to a machine that has Android SDK installed, we will be using Android Debug Bridge(ADB) which is a command line tool that can communicate with the device
  • Double check that the device is connected and adb is able to talk with it by running – adb devices
    • The list of devices attached should have your device serial number
  • Once connected simply run – adb shell am force-stop qqkj.qqmagic
    • Here we are force stopping everything associated with the app that has the specified package name

Overall this threat can be easily countered by force-stopping the app via adb and uninstalling it, additionally we did not observe any sensitive user information being transmitted back to the attacker thereby suggesting the low potency of this threat.

Dell SonicWALL provides protection against this threat via the following signatures:

  • GAV: AndroidOS.SLocker.EG (Trojan)
  • GAV: AndroidOS.SLocker.CN (Trojan)

APK Details:

  • Package Name: qqkj.qqmagic
  • MD5: 735b4e78b334f6b9eb19e700a4c30966

Wireless Firewall Solutions for Small Offices and Distributed Enterprises

/0 Comments/in /by

If you are a small office, I have good news; the new SonicWall TZ Wireless Firewall Series now has integrated wireless. In an earlier life, the startup I was working for had a small compact office; it would be the perfect candidate for the integrated wireless product. For many, where the office is spread out or occupies multiple floors, the ability to use Access Points for an external solution would be the way to go.

Stay ahead of the threats with a product that reduces your threat surface with the security solution used by the big boys. If you are concerned that your security solution is not cutting it, now is the time to consider taking a look at the new TZ Wireless Firewall Series.

Why this is important for business owners

For the business owner, building the business is what commands your attention. Behind this is the absolute desire to avoid negative press associated with a data breach. Looking forward, the question remains “how do I use emerging trends to grow my business?” The new SonicWall TZ series gives you the confidence to grow your business and avoid embarrassing press. Security can help grow your business because a secure perimeter can be seen as a differential advantage, especially when working with enterprise customers.

Business owners are always dealing with tight budgets and look for ways to get the most out of their investment. No need to cut corners here. Both the wireless and wired products are not only affordable but over time deliver an impressively low total cost of ownership. With the TotalSecure bundle, combined with the wide range of product capabilities, the price to buy and the cost to own is something that should warrant investigation.

Over the past several years, SonicWall has invested in security to become the go-to provider of broad security solutions. With the SonicWall TZ products, there is a complete line of wired and wireless network security solutions that fit any type of business small to large. The TZ series enables businesses to achieve the same level of security on the wireless LAN that they have on their wired LAN through integrated wireless or by attaching an 802.11ac SonicWall SonicPoint wireless access point to the firewall. This high-speed “wireless network security” solution protects the WLAN by scanning wireless traffic for threats.

Why this is important for IT managers

For the small business, the IT department may be only one person. The focus is on maintaining a high performance network. The SonicWall TZ series can make the network more efficient by allocating the more bandwidth to important applications over the less important and unproductive apps. The moment you add remote or branch offices, the network becomes more complex. By deploying the same firewall across networks, the efficiencies found with one network expand to include all networks. Instead of complexity, you get simplicity.

Highly effective security can also make the life of an IT manger simpler as well. The security perimeter is much more robust when everyone has the same device and everyone can speak a common language. Our security engine is common to all of our products and has been recognized not only for security effectiveness, but value as well. Compared to Cisco we are more affordable; compared to Fortinet, we perform better; and compared with Palo Alto, we have a wider product offering for small businesses. With the multiple products we offer, there is a solution designed to fit your specific needs and your budget.

Network security is not a one shot event; it is a long-term race with many twists and turns. If you followed the Tour De France, you can see plenty of similarities. If you are going to wear the yellow jersey you need to be a leader but you also need a strong support team to help you can meet the challenges of the road ahead. In the security race that means that you need the latest technology and a strong team supporting you. Let SonicWall ‘s winning products bring a new level of performance to your security race.

Download eBook

ATMFD.DLL Memory Corruption Vulnerability attacks spotted in the wild (Aug 4, 2015)

/in /by

CVE-2015-2387 attacks have been spotted in the wild. An elevation of privilege vulnerability exists in Adobe Type Manager Font Driver (ATMFD) when it fails to properly handle objects in memory. ATMFD.DLL in the Adobe Type Manager Font Driver in Microsoft Windows allows local users to gain privileges via a crafted application, aka “ATMFD.DLL Memory Corruption Vulnerability.” An attacker can successfully exploit this vulnerability to execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights

Following is the analysis of the exploit:

The executable is packed and contains malicious font and exploit code. The payload (.exe) prepares the ROP gadget in usermode before it calls the vulnerable ATMDF.dll in kernel mode.

The sample opens the ntkrnlpa.exe and calls the vulnerable ATMFD.dll . The malicious exe successfully starts the cmd process with local privileges and manages to exploit the vulnerability to gain admin privileges

Running the vulnerable exe from windbg shows that the exe loads the font in memory.

Setting the breakpoint at NamedEscape shows the vulnerable dll being called.

And then the binary tries to load the malicious font (tag OTTO of OpenType font)

When the ATMFD.dll tries to process this font it leads to a buffer overflow which allows the attacker to gain admin privileges.

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signatures to protect their customers.

  • GAV 20469 : Dropper.A_767
  • GAV 17022 : CVE-2015-2387

A Winning Wireless Combo – New SonicWall TZ Wireless Firewalls and SonicWall SonicPoints 802.11ac

/0 Comments/in /by

This is a guest post by Timothy Martinez, Founder and President of Western NRG, a premier partner of SonicWall Solutions.

The new  SonicWall TZ Wireless line offers comprehensive security and powerful performance for wired and wireless networks, all in one unit. These network security appliances bring huge technical strides in processing and inspection power to the TZ line, along with 802.11ac wireless, which has up to 3x the throughput of previous wireless standards. The new TZ Wireless series is a powerful all-in-one solution that is perfect for small and medium-sized businesses that are looking for top-notch network performance with the latest wireless improvements.

We have had phenomenal results deploying the SonicPoint AC wireless access points since their release earlier this year. Every customer that has implemented the AC SonicPoints has seen significant improvement in the quality and speed of their wireless network. The technical improvements of the 802.11ac wireless standard combined with the high quality of the SonicPoint hardware have made the release the best one yet. The AC SonicPoints make enterprise-class wireless accessible and affordable for anyone with a SonicWall firewall. Organizations that require large areas to have complete wireless coverage love how the SonicPoints integrate with their existing network infrastructure and can be centrally managed from a familiar and intuitive interface. Wireless technology has improved by leaps and bounds over the last five years, and the performance that customers who are using the new SonicPoint AC access points are experiencing is the truest testament to that.

The  SonicWall TZ Wireless firewall line is ideal for customers that have need for a single wireless access point for their location. Customers with networks that are distributed across multiple geographies love how the TZ Wireless solution allows them to implement a single device for network routing, security and wireless access. They also benefit from having a single integrated device because it lowers the cost and complexity of implementation and ongoing support. The new TZ line has the latest security and wireless technologies combined into one simple, desktop form-factor appliance.

One word of caution I would offer about recommending these appliances for certain environments is placement. The location of the firewall will need to be central enough in the customer location to provide adequate wireless coverage. Often, we see the location of the internet modem, and therefore the firewall is in a telco closet in the back of the building, which is generally not the ideal location to have your wireless broadcast point situated. This is something you will want to clarify in the pre-sales process in order to guarantee a successful implementation and happy customer.

The Generation 6 TZ SonicWall and SonicWall SonicPoint AC lines are the most powerful firewall and wireless products that  SonicWall has released to date. They bring true enterprise-level firewall and wireless capabilities to the SMB market with outstanding performance and rich feature sets. The SonicWall TZ Wireless line puts these great products into a single package that is ideal for security specialists and customers alike.

Download eBook

OpenSSL Alternative Chains Certificate Forgery (Aug 3, 2015)

/in /by

A few weeks ago, OpenSSL released patches that fix sereral vulnerabilities. Among the vulnerabilities, the “Alternative Chains Certificate Forgery” can lead to man-in-the-middle (MITM) attacks.

This MITM vulnerability affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. During certificate verification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, enabling them to use a valid leaf certificate to act as a CA and “issue” an invalid certificate.

The vulnerability is referred by CVE as CVE-2015-1793.

Dell SonicWALL has released an IPS signature to detect and block exploitation attempts targeting this vulnerability. The signature is listed below:

  • 11041 OpenSSL X509_verify_cert Function Security Bypass

Dell SonicWALL has observed several attack attempts in the past week:

Targeted IPs affected by the vulnerability: