A double-free vulnerability in GnuTLS.

/in /by

GnuTLS function _gnutls_x509_dn_to_string() which process Names in X.509 certificates is vulnerable to double-free due to errors. The vulnerability occurs when the caller to the vulnerable function upon receiving error from function tries to free the already freed data variable.

A remote attacker can exploit this vulnerability by sending crafted X.509 certificates containing very long values in issuer or subject Name. This can lead to double-free vulnerability. Successful exploitation can cause arbitrary code execution, while unsuccessful attempt can lead to application termination which can cause denial of service.

Dell SonicWALL has released an IPS signature to detect and block exploitation attempts targeting this vulnerability. The signature is listed below:

  • 5512 Server Application Shellcode Exploit 28

SonicWall Security is coming to SonicWall World 2015

/0 Comments/in /by

SonicWall World 2015 takes place in Austin in a couple of weeks, Oct. 20-22, and I am eager to talk security with our customers, partners, press and analysts. We will kick off the conference with a Network Security Track at the SonicWall World Software User Forum, which leads to three information-packed days of technical training for SonicWall Next-Generation Firewall customers. The deep dive technical sessions delivered by our engineers and product managers will help them defend their networks against continuously evolving threats by leveraging their existing security infrastructure. The Network Security Track is designed to provide practical answers to questions and challenges associated with security in general and as it relates to  SonicWall Next-Generation Firewalls. We’ll have experts on hand to work directly with participants, step-by-step, to address their most pressing issues. Additionally, we are hosting lab sessions where they can see first-hand the best practices recommended by security engineers to address a variety of scenarios.

In addition to the focused Network Security track, SonicWall Security thought leaders will be presenting in a variety of breakout sessions at both the SonicWall World Software User Forum and at the SonicWall World Main Track. Here are all of the sessions available to attendees:

Main Track (MT) – Wed. 1 pm/ Thurs 9:30 am Panel – Mobilizing People and Data for a Future-ready Workforce:

Today’s workforce is evolving work is an activity, not a location, and people want choice in the tools they use. While many technology providers claim to have “the” answer to mobility, in reality they’re only equipped to address a narrow set of challenges, leaving the customer to patch together a solution. In this session, learn how SonicWall uses recent research to buck this one-size-fits-all approach with strategies centered on mobilizing two things: people and data. We’ll share how SonicWall integrates solutions across our end-to-end portfolio to give people the best tools for the job, while mobilizing data in a secure, managed and reliable way.

Main Track (MT41) – Wed 2:30 pm/Thurs 8 a.m. – Key Security Insights: Examining 2014 to predict emerging threats:

Cyber-crimes are alive and well on the global stage and will only continue to be pervasive as long as organizations prolong taking the necessary defense measures to stop threats from slipping through the cracks. In this session, we’ll present the most common attacks SonicWall observed since 2014 and the ways we expect emergent threats to affect small and medium businesses, as well as large enterprises moving forward. This session is perfect for anybody who is interested in learning more about the state of the union in security.

Software User Forum (SUF 60) – Endpoint to Perimeter: Network Protection That’s Inside Out and Outside In:

As an IT professional, it is an alarming time you live in.Each and every day you may be feeling unease about the risk of your network being breached.The cybercriminal community is relentless in its pursuit to exploit the weaknesses of your network wherever they could find them.So how well are you prepared for the next attack?In this session, we will discuss how you can take advantage of modern-day network security tools and services to achieve ongoing protection against emerging threats. Additionally, we will explore why it truly counts to have a nimble threat research and response team working for you.This session will provide a complete overview of the entire SonicWall Security solution portfolio to help you get a handle on what is important for your organization to think about.

Software User Forum (SUF 61) SonicWall Email and Encryption Solutions:

In this session, you will learn about leading edge-strategies and technologies to protect your email from viruses, spam, and confidential data leaks and how SonicWall can help you easily and affordably meet industry and regulatory requirements for secure email exchange.

  • Speaker: Jane Wasson

Software User Forum (SUF 62) Mobile Access and Security update:

In this session, you will learn about the leading-edge strategies and technologies to securely enable mobile worker productivity while protecting your data from loss or theft and how SonicWall Secure Mobile Access Solutions can help.

  • Speaker: James Whewell

Software User Forum (SUF 63)Key Security Insights:

Examining 2014 to Predict Emerging Threats: Cyber-crimes are alive and well on the global stage and will only continue to be pervasive as long as organizations prolong taking the necessary defense measures to stop threats from slipping through the cracks. In this session, we’ll present the most common attacks SonicWall observed since 2014 and the ways we expect emergent threats to affect small and medium businesses, as well as large enterprises moving forward. This session is perfect for anybody who is interested in learning more about the state of the union in security.

I hope to see you in a few weeks in Austin. Let me know, if you have questions. We can connect via Twitter @Johngord.

The Dell Sonicwall Threats Research team observed reports of a New Malware family named GAV: Venik.RKT actively spreading in the wild.

/in /by

The Dell Sonicwall Threats Research team observed reports of a New Malware family named GAV: Venik.RKT actively spreading in the wild. This time attacker attackers performs DLL Injection on Service Host or Svchost.exe to avoid detection by Anti-Virus programs. Svchost.exe is a system process that hosts multiple Windows services.

Infection Cycle:

The Malware uses the following icon:

Md5:

  • 9ba2036234c6a043d1f55bb018be34ff

The Malware adds the following files to the system:

  • Malware.exe

    • C:WINDOWSsystem32ackypw.dll [Detected as GAV: Venik.RKT (Trojan)]

The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinjHrelpq32

    • %SystemRoot%System32svchost.exe -k krnlsrvc

  • HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesWinjHrelpq32Parameters

    • C:WINDOWSsystem32ackypw.dll

Once the computer is compromised, the malware copies its own DLL file to System Root folder.

The file ackypw.dll is dropped after malware launches on the target system, the malware uses a DLL Injection to Svchost.exe to avoid detection by Anti-Virus programs. Here is an example:

The malware generates fake traffic towards Baidu Search Engine such as shown below:

Command and Control (C&C) Traffic

Venik.RKT performs C&C communication over 8089 port. The malware sends your system information to its own C&C server via following format, here is an example:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Venik.RKT (Trojan)

How to Transform Your Network Security Infrastructure To Be Future-Ready

/0 Comments/in /by

As an IT leader, you understand how new disruptive technologies can improve your company’s competitive positioning and drive overall business value. Technology trends such as cloud, mobility, social and big data compel companies to move quickly to define and implement next-generation data center architectures and security defense strategies to take advantage of these new technologies. While these trends have proven to boost commerce and operational efficiencies for many businesses who are early adopters, they also introduce security loopholes that give cyber-criminals an easy path to inject malware into the network, evade detection, and steal data.

For example, when new software and network designs are implemented to enable BYOD initiatives, companies quickly find themselves at higher risk due to the increasing number of vulnerable web applications and unsafe systems and endpoint devices that are added to their network. They’re now forced to grapple with a significantly higher volume of connected devices accessing their networks which have the potential to slow performance as well as productivity. Not only can users consume an enormous amount of bandwidth with multiple connections per device and time-wasting, productivity-draining applications such as social media and video streaming, they also collectively create a much larger attack surface for cyber-criminals to exploit. To fully benefit from BYOD and other business enabling technologies, next-generation data centers must be agile, scalable, manageable, flexible, and most importantly, secure against the ever-changing global threat environment including network attacks that use encryption to bypass security controls. After all, a security system cannot stop what it cannot decipher.

To meet these challenges, the network security layer must be highly extensible to support the largest of data centers’ bandwidth consumption with absolutely near zero downtime. Such requirements have justified necessary networking security architectures that can be incrementally deployable and horizontally scalable. In other words, there might not be a single SonicWall Next-Generation Firewall (NGFW) with the scale to meet the performance requirements of some compute- and bandwidth-intensive networks such as large institutions, government agencies, and global enterprises. A more practical way to scale the performance beyond capabilities of a single SonicWall NGFW device is to combine multiple SonicWall NGFW devices into a network cluster for full redundancy, failover and failback to ensure there is no single point of failure in the design. In this infinite scale-out model, adding additional security compute resources should ideally be a matter of easily adding more firewalls to the system in a very cost-effective way.

If you are currently tasked with implementing big-bet initiatives to improve growth and competitiveness and feel that security is your biggest barrier for implementing these programs, SonicWall invites you to download this exclusive “A Massively Scalable Approach to Network Security” white paper to help you implement your future-proofed, network-based scale-out security layer architecture. This is a highly resilient design that offers transparent security services to augment existing security solutions, separate security functions and provide added capacity via N+1 redundancy to solve your most complex and demanding data center requirements. The solution provides the following benefits:

  1. Scalable performance to support 10, 40 and/or 100+ Gbps data centers
  2. Assured availability of internet services and connectivity without compromising security
  3. Deep security through SSL inspection and prevention of intrusions, malware, botnets, etc.
  4. Visualization of all applications, users, groups traversing the firewalls
  5. Cost savings up to 82%* lower than Cisco and 65% lower than Palo Alto Networks and 57% lower than Fortinet
    DOWNLOAD TECH BRIEF

Internet of Things (IoT) Challenges Solution Providers with Security Risks

/0 Comments/in /by

A lot has happened in the last year across SonicWall Network Security Solutions. We have implemented a complete refresh of our SonicWall TZ Wireless firewall product line from top to bottom while expanding the portfolio with the introduction of new platform form factors and performance capabilities. We’ve innovated the software as well, improving features and performance, to deliver value for every size company from small businesses to distributed enterprises. At the annual partner conference, SonicWall  Security Peak Performance 2015 – Come for Knowledge, Leave with Power, we announced best practices for securing the Internet of Things (IoT). We continue to arm our security channel partners with next-generation firewalls to fight the malware economy with the support of our threat research, our Deep Packet Inspection Engine, and, responding to the rise in encrypted traffic, we’ve dramatically increased security for our customers by enhancing our DPI SSL capabilities and overall support from top to bottom. Our partners from 21 countries attended dynamic keynote presentations and 20 technical breakout sessions with our security experts at three levels of security curriculum.

The next big trend that people are talking about is the Internet of Things. At Peak, the buzz on how this will create new vulnerabilities was widely evident. One of the discussions by our SonicWall Security experts identified five key steps to take full advantage of the evolution of IoT devices:

  1. Put Security First: Be vigilant and ensure data is secured and encrypted from the data center or the cloud to the endpoint and everything in between. SonicWall advocates a holistic approach to security that includes looking at endpoint security, network security, identity and access management, and more. Be aware of the data device vendors collect. If they are collecting data on all of their customers, this consolidated data set may be a very attractive target for hackers.
  2. Research the Devices: Evaluate the IoT devices accessing and planning to access the system. Understand what they do, what data they collect and communicate, who owns the data collected from the device, where the data is being collected, and any vulnerability assessments or certifications the devices have.
  3. Audit the Network: It is critical to understand the impact of IoT on network traffic in the current “˜as-is’ state. Do an audit to understand what is currently accessing the system, when, what it does when it sees data, and what it communicates to and where. This will enable an organization to reassess its network performance and identify any changes on an ongoing basis as additional devices are knowingly or unknowingly added or removed.
  4. Compartmentalize Traffic: Employ a “˜no-trust’ policy when it comes to IoT devices. Ensure they are on a separate network segment or virtual LAN (VLAN) so they are not able to access or interfere with critical corporate data.
  5. Educate Everyone: IoT is the “˜Wild West’ and will continue to evolve and change rapidly over the coming months and years. As such, it will be critical to ensure IT, security and network teams educate themselves about the latest devices, standards, and issues. Be prepared for consolidation and emerging standards, but understand today, little of that exists as some devices have weak or no security.

Our Security Channel partners are all Peak Performers

Getting ready for the surge of devices that come with the IoT is something partners need to consider as they chart their future. SonicWall Peak Performance is both a forum for information exchange on best practices as well as a vehicle to prepare for the IoT future. SonicWall Network Security channel partners have achieved tremendous success in the last 12 months. This underscores the value of the channel program. Some of the highlights include:

  • 12,000 partners sold SonicWall products
  • Number of deal registrations increased by 7 percent to over 4,100 per quarter, while the number of partners submitting deal registrations rose by 12 percent to 1,300 per quarter.
  • Partners who attended Peak Performance last year saw 40 percent year-over-year growth and 33 percent quarter-over-quarter growth;
  • 8,700 network security courses were taken, representing 1,700 partner companies
  • 320 partners earned the network security competency, bringing the total number of Preferred and Premier level partners to 1,500

SonicWall Security Recognizes Peak Performers

Our Premier Partner, Secure Designs, Inc. delivered peak performance with their phenomenal customer success with Time Warner Cable Wireless.

“The key takeaway of SonicWall Peak Performance 2015 would be that  SonicWall is totally committed to make things happen, we learned that already in some of the breakout sessions and really whatever you want to do, you have the ability to do. Whether it’s a specific program that they have that you can deploy, or there’s something outside of the box that you want to tell them, they’re going to be interested in helping to make it happen,” said Larry Cecchini, President and CEO of Secure Designs Inc.

Joe Gleinser, president of GCS Technologies, a premier partner, was interviewed onsite:“I have used SonicWall for nearly a decade and have 500 clients deployed across Texas and my clients learn to depend on the SonicWall brand.”

“Our partners are such an important piece of our business and we’re thrilled to be able to recognize their tremendous accomplishments over the last year. The amount of energy and excitement coming out of the Peak Performance show was contagious and we’re looking forward to seeing how our partners capitalize on this. We look forward to celebrating more successes next month at SonicWall World in Austin, TX,” said Chris Szarlacki, Director, Channel Marketing, SonicWall.

LEARN MORE

Microsoft Office Macros are back with Dridex Trojan (October 2, 2015)

/in /by

The Dell Sonicwall Threats team recently observed the return of malicious macros in Microsoft Office documents. These malicious macros are downloading the banking trojan, Dridex.

Infection Cycle:

The spam email spreads this threat with the subjects such as Please print from an email address from UK.

The attachment is an word document (Order-SO00653333-1.doc)(detected as GAV: Downloader.B_7(Trojan) ) which contains the malicious macros. When it is opened, it is a blank document. It states that the macros should be enabled to see the document. By default, these are disabled.

During analysis, the malicious word document had these strings embedded inside:

    “http://www.StealthBot.net/sb/Launcher/”
    “http://www.norlabs.de/123/1111.exe”
    “http://www.althBot.net/sb/Launcher/”

The document has keywords “AutoOpen” which indicates: “Runs when the Word document is opened” and “AutoClose” which indicates: “Runs when the Word document is closed”.
These are embedded in the VBA macros which auto-execute.

Once the macros are enabled, the user still cannot see any content on the word document. The macros are used to enable the downloading of the Dridex banking malware from domains controlled by the attackers.

It then downloads an executable 1111.exe [detected as GAV: Dridex.B (Trojan)].

This banking trojan tries to steal information from the victim’s machine post it to the remote Command & Control servers.

The Dell SonicWall threats team urges users to not fall for these scams. The SonicWALL customers with “block office files with VBA macros” checkbox enabled are already protected from this threat.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Downloader.B_7 (Trojan)
  • GAV: Dridex.B (Trojan)

Exploits for CVE-2015-2331 spotted in the Wild (Oct 02, 2015)

/in /by

Integer overflow in the _zip_cdir_new function in zip_dirent.c in libzip, as used in the ZIP extension in PHP allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a ZIP archive that contains many entries, leading to a heap-based buffer overflow (CVE-2015-2331)

The Zip file consists of many records. One of the sections of Zip64 record is “total number of entries in the central directory on this disk”. When PHP is used to open a ZIP archive, the “total number of entries in the central directory on this disk” is used to allocate the size of heap buffer. A large number in it will cause the buffer to overflow.

CVE-2015-2331 attacks have been spotted in the wild.

The binary has malicious bytes in the [total number of entries in the central directory on this disk ] section of the zip.

This causes the buffer overflow which is used to drop exe on the infected system and opens up a winrar dialog box.

The exe also makes registry entry

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signature to protect their customers.

  • IPS 10853 : PHP _zip_cdir_new Function Integer Overflow 1
  • IPS 10854 : PHP _zip_cdir_new Function Integer Overflow 2