Your Email DLP Just Got Better and More Secure

These days, all types of business communications are done via email — so employees cannot sacrifice the mobility, reliability and economy of their inboxes. From contract information to the latest sales reports, it is imperative that email data remain confidential. A single wrong click can give away top-secret company information, broadcast private financial statements or expose sensitive negotiations.

CAS Data Loss Prevention (DLP) policies for Office 365 Email now include an automated workflow that allows emails violating an enabled CAS DLP policy to be encrypted before being sent, using the existing Microsoft Office 365 Encryption service included in several of the Microsoft 365 and Office 365 Enterprise bundles.

What is email encryption, and how does Microsoft 365 use it?

Encryption is the process by which information is encoded so that only an authorized recipient can decode and consume the information. Microsoft/Office 365 uses encryption in two ways: in the service, and as a customer control. Encryption is used in the Microsoft 365 service by default; you don’t have to configure anything. For example, Microsoft 365 uses Transport Layer Security (TLS) to encrypt the connection, or session, between two servers.

There are different ways to embed customer control in a workflow; below is one example.

Here’s how email encryption typically works:

  • If the encryption process is not automatic, the user selects the “Encrypt” option in Outlook.
  • The message is encrypted, or transformed from plain text into unreadable ciphertext, either on the sender’s machine or by a central server while the message is in transit.
  • The message remains in ciphertext while it’s in transit in order to protect it from being read if it is intercepted.
  • Once the message reaches its destination, the message is transformed back into readable plain text in one of two ways:
    • The recipient’s machine uses a key to decrypt the message, or
    • A central server decrypts the message on behalf of the recipient, after validating the recipient’s identity.

How does SonicWall Cloud App Security help?

When you have a Microsoft 365/Office 365 bundle that includes Office 365 Message Encryption (OME) and CAS Advanced package, CAS can automatically encrypt emails that violate configured DLP policies.  When you configure your CAS Office 365 Email DLP policy workflow to use the “Encrypted by Microsoft” action, an appropriate Exchange Online mail flow rule is created automatically. Using CAS’s “Protect (inline) mode, emails are intercepted and evaluated against the selected DLP policy rules. When an outgoing email matches a DLP rule, SonicWall Cloud App Security automatically encrypts the email before it is allowed to be sent externally. With the embedded workflow, the admin can manage the DLP content in a much more efficient manner without any extra overhead — once the CAS policy is triggered, the mail is encrypted and delivered to recipient.

End-user email if a DLP workflow is invoked (Below)

Always stay updated

Once you’ve enabled the DLP workflow, outgoing emails that have been encrypted by the policy can be easily located under the Events pane. Selecting the event itself allows you to drill down into the Security Event details with the History visibly stating, “Encrypted by Microsoft.” There are various filters available to examine the available events more closely in case suspicious activity needs to be investigated.

Many cloud providers encrypt their servers to defend against outside threats, but don’t follow the information once it’s been shared or sent externally. That information can be copied, emailed and opened by anyone once it leaves your environment. With the introduction of this new workflow in SonicWall Cloud App Security, sensitive emails and file attachments can be automatically encrypted, preventing unauthorized access to your sensitive information outside of your environment.

Cloud App Security’s DLP workflow leverages your existing Office 365 Message Encryption (OME) services. This protects your sensitive emails, reducing the need for multiple encryption services and providers, and helps you manage costs by using services you’ve already paid for. Protecting sensitive information and saving money? Sounds like a total win to me!

Darkside ransomware targets large corporations. Charges up to $2M.

The SonicWall Capture Labs threat research team have observed a new family of ransomware called Darkside.   The operators of this ransomware primarily target large corporations.  Recently, a Canadian land developer and home builder, Brookfield Residential has been hit with Darkside ransomware.  In this case, the operators have not just encrypted data, but have stolen it and threatened to publish the company’s data online if it does not pay up.  Darkside has been around since early August and its operators have been launching multiple customized attacks towards known high revenue companies.  The operators charge between $200,000 and $2M for file decryption.  It has been reported that the operators have already obtained over $1M since the start of their campaign.

 

Infection Cycle:

 

When running the malware the following User Account Control dialog is shown:

 

Files on the system are encrypted and given a “ehre.eb2e8d90″ extension.  A file named README.eb2e8d90.TXT is copied into all directories containing encrypted files.

 

README.eb2e8d90.TXT contains the following message:

 

As the malware is aimed at large corporations, the message states that over 100GB of data has been uploaded to the operators.  However, we did not observe any data being uploaded during our analysis.

 

The link provided in the ransom message leads to the following page hosted on a server on tOr:

 

Upon entering the key provided in the message, the following page is displayed:

 

$2 Million in crypto is demanded for file decryption.  It is interesting to note that in addition to Bitcoin, Monero is offered as a valid paymenet method.  Compared to Bitcoin, Monero is used significantly less by ransomware operators.  However, one of Monero’s key features is its untraceability.  We expect to see an increase in malware operators using cryptocurrency of this nature.

 

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: Darkside.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Cybersecurity News & Trends

This week, SonicWall experts feature on three podcasts discussing Boundless Cybersecurity, the Mid-Year Update to the 2020 SonicWall Cyber Threat Report, and the future of work in the age of Covid-19.


SonicWall Spotlight

Podcast: Cybersecurity for the Post-Covid New Normal of Work – Harvard Business School

  • Harvard Business School Professor Joe Fuller talks with SonicWall CEO Bill Conner as part of their Managing the Future of Work project. Bill and Joe discuss how 2020 has changed the cybersecurity landscape with Covid 19 forcing much of the workforce to work from home.

Tech Chat Episode 72: Boundless Cybersecurity and Ease of Use – Enterprise Management 360

  • SonicWall’s Terry Greer-King makes the case for Boundless Cybersecurity on the Tech Chat podcast.

Cyber Threats in the Time of Corona – Ping Podcast – Episode 27 – Firewalls.com

  • SonicWall’s Brook Chelmo guests on the latest episode of Firewalls.com’s Ping podcast, discussing the Mid-Year Update to the 2020 SonicWall Cyber Threat Report.

SonicWall Wins ChannelPro Reader’s Choice Award – SonicWall blog

  • SonicWall has been named the Bronze Winner in the “Best Security Hardware Vendor” category of the 2020 ChannelPro Readers’ Choice Awards. This is the fourth year running that SonicWall has placed in the top three for this category.

Batelco Partners with SonicWall to Launch Integrated Security Solutions for SMEs – ITP.net


Cybersecurity News

University of Utah Pays $450K to Stop Cyberattack on Servers – Washington Times

  • Following a ransomware attack on its computer servers, the University of Utah paid extortionists almost half a million dollars. The University states that it paid the ransom “as a proactive and preventive step” to prevent the data being leaked rather than to access the data.

Three Charged With Leaking Movies as Part of Global Piracy Ring – New York Times

  • Three men are facing federal charges of involvement in an international piracy ring known as the Sparks Group, a global-spanning movie and television show pirate group.

Group of Unskilled Iranian Hackers Behind Recent Attacks With Dharma Ransomware – ZDNet

  • A group of Iranian cyberattackers described as “newbie hackers” has been targeting companies located in Russia, Japan, China and India.

Cyber Attack Halts New Zealand Stock Market for Third Straight Day – SecurityWeek

  • The New Zealand exchange (NZX) had to halt trading as a result of DDoS cyberattacks three days in a row. A spokesman for the NZX said they would not be commenting on the origins of the attacks, “given the nature of the issues”.

Federal Cyber Agency Releases Strategy to Secure 5G Networks – The Hill

  • The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released a strategy to defend U.S. 5G networks against cyberthreats. The  five “strategic initiatives” to secure the buildout of 5G systems include development standards and supply chain threat awareness.

In Case You Missed It

Advantech WebAccess NMS Arbitrary File Upload Vulnerability is being exploited

Advantech WebAccess/NMS is a web browser-based software package for networking management systems (NMS). It is designed with SNMP and ICMP communication standards for managing all Ethernet-Enabled Advantech products and third-parties devices. NMS can bring users an easy-to-use platform to monitor and manage networking remotely. Advantech WebAccess/NMS platform runs on top of the Apache webserver

Vulnerability | CVE-2020-10621

One of the services provided by Advantech WebAccess NMS enables users to upload a config file to the server and then instructs devices to restore their configuration with this uploaded config file. The service is requested via an HTTP request which places the uploaded file and several parameters in the format of multipart/form-data. The request is handled in the class ConfigRestoreAction via the following Request-URI:

/SCMS/web/access/ConfigRestoreAction.action

An arbitrary file upload vulnerability exists in the Advantech WebAccess NMS. This is due to the lack of sanitation on the “cfgfile” parameter in the ConfigRestoreAction class. When receiving the request submitted to the “ConfigRestoreAction.action” endpoint, the execute() method of the ConfigRestoreAction class is called to handle the request.  The input parameter “cfgfile” is not sanitized before applying it to create the destination file path in the application installation directory. The destination file path could point to any location on the NMS server, which leads to arbitrary file upload conditions.

In the below request, the attacker posts an HTTP request with a malicious file and crafted parameters to the vulnerable server.

POST /SCMS/web/access/ConfigRestoreAction.action?cfgfile=<crafted input> HTTP/1.1

A remote, unauthenticated attacker can exploit this vulnerability by submitting a crafted request to the target server. Successful exploitation could lead to arbitrary file upload and, in the worst case, code execution condition under the security context of the system.

Trend Chart:

SonicWall Capture Labs Threat Research team provides protection against this exploit with the following signatures:

IPS: 15119 Advantech WebAccess ConfigRestoreAction Arbitrary File Upload

Affected Products:

Advantech WebAccess/NMS versions prior to 3.0.2 are affected by this vulnerability.

 

All it Takes is One Click!

Have you ever found yourself wondering whether you should click a URL you received in an email? Thinking, “Where does the URL really go? Is it safe for me to access, or is there malware or a fake login page on the other end?”

You don’t have to wonder anymore — SonicWall is excited to announce that Cloud App Security now provides even more URL protection straight out of the box. In addition to pre-delivery email URL analysis, Cloud App Security now includes Click-Time Protection to block URL access to sites that were initially benign but are now malicious.

Attacks evolve with each passing day, and differentiating a legitimate link from a malicious link is a constant challenge. Attackers attempt to evade detection by using compromised servers that appear benign until after the message has been delivered. But with Click-Time Protection, you get an additional layer of safety. Each and every time a user clicks on a URL received in email, it is analyzed, and access is blocked if that website is found to be malicious.

Secure Mail in Transit

“You can’t be what you can’t see” is a simple way to explain how SonicWall Cloud App Security helps you secure your inbox. Virtual inline protection analyzes URLs contained in emails before they’re delivered to the user’s mailbox. URLs found to be malicious are blocked, never getting to the user. URLs that are benign at delivery will now be replaced with a SonicWall URL. When anyone clicks that link, SonicWall will test the site before redirecting it to the user.

SonicWall Cloud App Security provides Pre-Inbox and Post-Delivery solutions and protects against ever-increasing zero-day malware and malicious sites. Then it goes one step further, scanning emails across the company and retracting any other email that might be affected by the same threat.

Behind the Scenes: How We Protect Users

Regardless of whether you’re securing a few users or a few thousand users, the configuration options are simple and easy to manage. SonicWall Cloud App Security’s Click-Time Protection offers the flexibility to configure policy for all users, specific users, or a group, and provides three actions to choose from:

  1. Do nothing: Trust the user’s judgment and allow access to the site.
  2. Block: Prevent the user from visiting the site when the URL is found to be malicious.
  3. Warn: Notify if malicious, but allow the user to choose to proceed to the site.

Once Click-Time Protection has been enabled and policies are set, all links contained in incoming emails are replaced with SonicWall links. When the user clicks on a link, it triggers an immediate scan of the target site. If it is determined to be benign, the user continues without interruption. If it is determined to be malicious, the user is sent to a warning page. The user may be provided a link to the malicious page based on the policy and group he has been assigned to by the admin.

Enhanced Visibility — Analysis and investigation

Encountering a threat and obtaining forensic details of that threat are two separate actions that SonicWall’s Cloud App Security seamlessly stitches together without losing the essence or any details in translation. Each stage of the Click-Time Protection process is recorded for investigation and auditing purposes, from the original URL substitution event to the result of the time-of-click scan. Each step is logged and can be readily accessed based on the threat type. The events are grouped together so the activity can be easily understood.

Completing the Security Loop

The addition of Click-Time Protection to SonicWall Cloud App Security bolsters post-delivery protection, making our advanced anti-phishing technology even more robust. SonicWall Cloud App Security delivers next-gen security for SaaS applications, protecting email, data and user credentials from advanced threats while ensuring compliance in the cloud. SonicWall Cloud App Security also provides API-based security for software as a service (SaaS), delivering visibility, data security, advanced threat protection and compliance — all with low TCO, minimal deployment overhead and a seamless user experience.

To learn more about SonicWall Cloud App Security, click here.

SonicWall Wins ChannelPro Reader’s Choice Award

SonicWall has been named the Bronze Winner in the “Best Security Hardware Vendor” category of the 2020 ChannelPro Readers’ Choice Awards.

The ChannelPro Network provides targeted business and technology information for IT channel partners who serve small and midsize businesses. Winners were chosen by a self-selected panel of ChannelPro Network online visitors and magazine readers, who participated by casting their votes for the most SMB- and partner-friendly products, technologies, services, programs, and professional organizations in the IT channel today.

More than 1,500 votes were collected between March 3 and May 8, with the winners announced earlier this month. This marks the fourth consecutive year that SonicWall has placed in the top three for this category, and we’d like to thank ChannelPro voters for their continued loyalty and support.

Android spyware abusing app icons for Amazon, Netflix and other popular apps

Mobile applications have made our life easy be it entertainment, social media, e-commerce or banking, an app is available for everything. Popular app names are misused by malware authors to victimize users.

SonicWall Capture Labs threat research team has been observing spyware using icons of well-liked android apps with millions of downloads. Icons of some popular apps being abused by spyware:

 

 (Original vs fake app icon)

 

Upon clicking the app icon, a pop-up with the message “App isn’t installed” is displayed, suggesting the user that the app didn’t install besides hiding the app icon from the app drawer.

 

The config file is created which indicates the app tried to establish a connection with remote host “193.161.193.99”.

 

The spyware is capable of:

  • Hiding icon from the app drawer
  • Reading contacts and call logs
  • Reading SMS
  • Reading geolocation data
  • Internet connection type
  • Fetching Installed application list and updates
  • Recording Audio
  • Check if the device is rooted
  • Make phone call

Technical Details:

The app hides its icon, making it difficult for the user to identify the app responsible for the spying activity:

 

Reads contact list with other details using the MIME like saved Email-id, and call log:

 

            (Victim’s call log)

 

Reads SMS every time the user receives a new SMS with “android.provider.Telephony.SMS_RECEIVED”:

 

It accesses the victim’s geo-location data:

 

Checks victim’s Internet connection type WIFI or using mobile data(2g/3g/4g) based on the return type of “getNetworkType

 

It fetches installed application information from the victim’s device:

 

Captures audio with multiple recording options supported on the device:

 

Capable to make phone call on specified number:

 

SonicWall Capture Labs provides protection against this threat with the following signature:

  • AndroidOS.SpyNote.SD

 

Indicators Of Compromise (IOC’s):

  • 5fe3a6571f7709ea967af6d5b333ebc200375c986575d44a66f032b053741339
  • 7419092afc4b71d5ec50f5ed32452520a36b3c20efb0efddb37b9de9ed0a4b7f
  • 8d6158ae2c442aa3aa6a3d3291b14a76b7007903c1fe4df5b16c15c962f7e4cd
  • ad9191973d233f53a55b498ad55710b9a2abc15d905eeea14753fc3df5c0d880
  • 6b02203b5ca6133f4c7c51be4be1784f3c695523d7e70b39db098668bd1201c6
  • 90e6113130cea5c601399c7804793f34a76af10974e6c70920a964f6ddc3a21a
  • 7491a5d7dccf2034826a984c9dca42718ca7921d63596d68fb4586fe652291c2
  • e73d9c382da3e108ef13dace8b644100d89d766106bdbdf7e4f5853b5b75f279
  • 5bd051ee3610fb752c16a319131e93846c321b80752df3d54aea346a03aa6155
  • eaee3179c7e9be8b5653b404f7d29990c1644193c7f6f8e52729a7878ae4c2a7
  • a9f6f8b2fb0ddaf6f6e9171c566950d2c604aa2d2e703e2397f1450b1075db91
  • 80f14b2fce58261442622fa77d861604b7f8548f4cf373387f2aa360d4f3560a
  • a3abb775436bcf82554cd90150974867bff000c9ab432b1bd6937cdf525bcf81
  • c8dd02c9b2874c5a8ab6d79e713665d17e405505fbc18464cd070d1368e2d4a0
  • 442d0177494542ec553196e689d9e6120dbff5e3acc0dfa777fce470dea937cb
  • 6f14f011dc2eced02b0bbab79e05f985b39cd66dd8f5dc950092c9ffa3c82a51

Get the Most out of Your Security Appliance with Multi-Instance

Most enterprises, colleges and universities, government agencies and MSSPs have deployed a number of stand-alone appliances to segment and secure different departments, data centers and customers over the years. Even though this type of deployment offers needed security, it creates operational and management complexities. In order to improve operational efficiency while dealing with constant changes to IT and network infrastructure, security professionals need to look at more efficient ways to deploy security appliances.

To help our customers increase efficiency and get most out of their security appliances, SonicWall has added multi-instance capability to our latest NSsp 15700 high-end firewall. Here’s how our newest feature will work, and how it compares with its predecessors.

Traditional way of doing things: Multi-tenant

Apart from deploying multiple standalone appliances to achieve segmentation and secure different entities, customers can also use multi-tenant technology. Multi-tenant allows security professionals to logically segment one instance into multiple virtual firewalls on a single security appliance. Those virtual firewalls will share the same physical resources available on the security appliance, such as CPU, memory, and interfaces. Although this method allows improved operational efficiency and the ability to deploy more than one firewall on a single security appliance, it has some limitations:

  • Virtual firewalls need to have the same software version installed — they cannot have independent versions
  • Potential for hardware resource starvation if one of the logical firewalls is oversubscribed
  • Firewall management tenant is shared, leading to configuration limitations

Multi-instance: A new generation multi-tenant

SonicWall has taken a modern approach to legacy multi-tenant with its multi-instance feature, which uses containerized architecture. This new feature enables security professionals to run multiple independent firewall instances on a single security appliance. Each firewall instance is allocated its own hardware resources, including CPU, memory and interfaces, thereby removing any potential for resource starvation.

In a containerized architecture, each firewall instance gets its own container, so they truly act as independent firewalls. This means each instance can have its own version of software, allowing for independent software upgrades and reboots. Management of each instance is done separately for every entity in the enterprise, allowing for customized security policy configuration. Multi-instance firewalling also enables flexible physical and logical interface assignments, which in turn enables simple network configurations. The figure below depicts single- versus multi-instance architecture on a four-CPU physical appliance.

Figure 1: Multi-tenant shares resources between firewall tenants. FW2 is compromised, causing resource starvation for all FW tenants. Figure 2: Multi-instance allocates dedicated resources for each firewall instance. FW2 is compromised but isolated, allowing other instances to function normally.

Multi-instance versus multi-tenant

While the traditional multi-tenant architectures suffer from resource starvation and tenant failures, this is where SonicWall’s multi-instance architecture shines. The table below offers a high-level comparison between the multi-instance and multi-tenant approach.

Modern multi-instance Legacy multi-tenant
Multiple firewalls on one appliance
Containerized architecture
Complete tenant isolation
Independant software versions
Independant management
Multi-service potential
Single tenant failure resistant
Resource starvation resistant
HA instances

Table 1: Multi-instance versus multi-tenant

Multi-instance firewall will initially be available on the new SonicWall NSsp 15700 in August 2020. SonicWall NSsp is powered by  SonicOSX, which includes many other new features such as unified policy, a new security management platform, new low-end appliance and more. To learn more about SonicWall NSsp, please visit www.sonicwall.com/NSsp.

Cybersecurity News & Trends

This week, U.S. national security was at the forefront, with authorities working to secure voting systems ahead of the November elections, FBI and CISA issuing warnings about Linux malware and the U.S. Army detailing North Korea’s cyberattack strategies.


SonicWall Spotlight

Interview: Bill Conner, President and CEO, SonicWall — Infosecurity

  • With remote working likely to be far more common going forward, businesses are considering what they should do to adequately secure themselves.

How to Negotiate with Cyber Terrorists During a Pandemic — Bloomberg (United Kingdom)

  • According to SonicWall’s mid-year Cyber Threat Report, the number of ransomware attacks climbed 20% in the first half of the year, to a total of 121.4 million.
    *Syndicated on Yahoo! Finance UK, Washington Post and The Star

D&H Expands Hosted Security Offerings for MSPs, SMBs — Channelnomics

  • D&H Distributing is giving MSPs and SMBend customers access to SonicWall’s security solutions through a subscription model that removes upfront costs and offers predictable monthly payments.

Cybersecurity News

Taiwan says China behind cyberattacks on government agencies, emails — Reuters

  • Taiwan said hacking groups linked to the Chinese government had attacked at least 10 government agencies and some 6,000 government email accounts to steal important data.

FritzFrog malware attacks Linux servers over SSH to mine Monero — Bleeping Computer

  • A sophisticated botnet campaign named FritzFrog has been discovered breaching SSH servers around the world.

Ongoing Campaign Uses HTML Smuggling for Malware Delivery — Security Week

  • Referred to as Duri, the campaign attempts to evade network security solutions, including proxies and sandboxes, to deliver malicious code.

IRS Granted Tens of Thousands of Devices Network Access Without Proper Authentication — Nextgov

  • Most devices accessing the Internal Revenue Service’s internal network using wireless connections and virtual private networks weren’t authenticated, according to an audit.

U.S. Army Report Describes North Korea’s Cyber Warfare Capabilities — Security Week

  • A 332-page report, titled “North Korean Tactics,” details North Korean forces and their actions, with one chapter focusing on electronic intelligence warfare.

How a new federal policy for telling election officials about cyber-intrusions got put to use — Cyberscoop

  • An unidentified hacker reportedly spoofed the email account of a voting-equipment vendor and sent a phishing email to a local election official in Missouri.

NSA and FBI warn that new Linux malware threatens national security — Ars Technica

  • The FBI and NSA have issued a joint warning that Russian state hackers are using a previously unknown piece of Linux malware to infiltrate sensitive networks, steal confidential information, and execute malicious commands.

CISA Warns of Phishing Emails Delivering KONNI Malware — Security Week

  • The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert providing information on attacks delivering the KONNI remote access Trojan (RAT).

CactusPete hackers go on European rampage with Bisonal backdoor upgrade — ZDNet

  • The APT is attacking banks and military organizations throughout Eastern Europe.

Lawmakers introduce bill to help election officials address cyber vulnerabilities — The Hill

  • Reps. John Katko (R-N.Y.) and Kathleen Rice (D-N.Y.) introduced legislation to provide election officials with enhanced cybersecurity resources, as authorities ramp up warnings of foreign interference in the upcoming U.S. elections.

In Case You Missed It

Citrix ADC and Gateway Authorization Bypass Vulnerability

Citrix ADC is an application delivery and load balancing solution that provides a high-quality user experience for web, traditional, and cloud-native applications – regardless of where they are hosted. It also provides web application acceleration as well as a Gateway functionality. Citrix ADC and Gateway are accessed primarily via HTTPS on port 443/TCP.
Vulnerability(CVE-2020-8193)
An authorization bypass vulnerability exists in Citrix Application Delivery Controller and Gateway. The
vulnerability can let remote users to get a valid session ID on Web UI without authentication. A remote, unauthenticated attacker could exploit the vulnerability by sending crafted requests to the target server.
Successful exploitation can result in authentication bypass.

The NetScaler IP (NSIP) address is the IP address which is used to access the NetScaler appliance for management purpose over HTTP (port 80). To restrict the NSIP administrative Web UI from unauthenticated users, the Admin UI needs the remote user to login by using HTTP POST request.

After the remote users authenticate themselves, the server will generate a sessionID in the cookie for the
administrative session. An authorization bypass vulnerability exists in Citrix Application Delivery Controller and Gateway.Due to the design flaw this vulnerability can be triggered by posting to the report() function .

Based on the value specified in parameter type, the function report() will call the respective private functions
inside pcidss.php script. Due to the implementation flaw, the report function only checks the presence of “loginchallengeresponse” in the parameters of the POST request. This allows for authentication bypass and the attacker can get a valid session id which can later be used to gain direct access to the device.
Impact
A quick check on shodan reveals hundreds of vulnerable systems

SonicWall Capture Labs provides protection against this threat via the following signatures:

  • IPS 15098:Citrix Products Authorization Bypass 1
  • IPS 15099:Citrix Products Authorization Bypass 2

Threat Graph

Vulnerable Products

Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7

Citrix has patched this vulnerability and the fix is available here.