Microsoft Security Bulletin Coverage for February 2024

/0 Comments/in /by

Overview
Microsoft’s February 2024 Patch Tuesday has 72 vulnerabilities – 30 of which are Remote Code Execution. The vulnerabilities can be classified into the following categories:

  • 30 Remote Code Execution Vulnerabilities
  • 17 Elevation of Privilege Vulnerabilities
  • 10 Spoofing Vulnerabilities
  • 8 Denial of Service Vulnerabilities
  • 4 Information Disclosure Vulnerabilities
  • 3 Security Feature Bypass Vulnerabilities

Figure 1: Breakdown by category

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of February 2024 and has produced coverage for 7 of the reported vulnerabilities.

 

Vulnerabilities with Detections

CVE-2024-21338 Windows Kernel Elevation of Privilege Vulnerability

  • ASPY 530 Exploit-exe exe.MP_365

CVE-2024-21345 Windows Kernel Elevation of Privilege Vulnerability

  • ASPY 534 Exploit-exe exe.MP_368

CVE-2024-21346 Win32k Elevation of Privilege Vulnerability

  • ASPY 539 Exploit-exe exe.MP_369

CVE-2024-21357 Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability

  • ASPY 532 Exploit-exe exe.MP_367

CVE-2024-21371 Windows Kernel Elevation of Privilege Vulnerability

  • ASPY 531 Exploit-exe exe.MP_366

CVE-2024-21379 Microsoft Word Remote Code Execution Vulnerability

  • ASPY 533 Malformed-pdf pdf.MP_219

CVE-2024-21412 Internet Shortcut Files Security Feature Bypass Vulnerability

  • ASPY 540 Malformed-jpg jpg.MP_23

CVE-2024-21413 Microsoft Outlook Remote Code Execution Vulnerability

  • IPS 4305 Microsoft Outlook MONIKERLINK Security Feature Bypass
  • IPS 4307 Microsoft Outlook MONIKERLINK Security Feature Bypass 2

Adobe Coverage

CVE-2024-20748 Acrobat Reader Out-of-bounds Read

  • ASPY 535 Malformed-pdf pdf.MP_220

CVE-2024-20736 Acrobat Reader Out-of-bounds Read

  • ASPY 536 Malformed-pdf pdf.MP_221

CVE-2024-20726 Acrobat Reader Out-of-bounds Write

  • ASPY 537 Malformed-pdf pdf.MP_222

CVE-2024-20747 Acrobat Reader Out-of-bounds Read

  • ASPY 538 Malformed-pdf pdf.MP_223

 

Remote Code Execution Vulnerabilities 

CVE-2024-20667              Azure DevOps Server Remote Code Execution Vulnerability

CVE-2024-20673              Microsoft Office Remote Code Execution Vulnerability

CVE-2024-21339              Windows USB Generic Parent Driver Remote Code Execution Vulnerability

CVE-2024-21341              Windows Kernel Remote Code Execution Vulnerability

CVE-2024-21347              Microsoft ODBC Driver Remote Code Execution Vulnerability

CVE-2024-21349              Microsoft ActiveX Data Objects Remote Code Execution Vulnerability

CVE-2024-21350              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution     Vulnerability

CVE-2024-21352              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21353              Microsoft WDAC ODBC Driver Remote Code Execution Vulnerability

CVE-2024-21357              Windows Pragmatic General Multicast (PGM) Remote Code Execution      Vulnerability

CVE-2024-21358              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21359              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21360              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21361              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21363              Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability

CVE-2024-21365              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21366              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21367              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21368              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21369              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21370              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21372              Windows OLE Remote Code Execution Vulnerability

CVE-2024-21375              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21376              Microsoft Azure Kubernetes Service Confidential Container Remote Code Execution Vulnerability

CVE-2024-21378              Microsoft Outlook Remote Code Execution Vulnerability

CVE-2024-21379              Microsoft Word Remote Code Execution Vulnerability

CVE-2024-21384              Microsoft Office OneNote Remote Code Execution Vulnerability

CVE-2024-21391              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

CVE-2024-21413              Microsoft Outlook Remote Code Execution Vulnerability

CVE-2024-21420              Microsoft WDAC OLE DB provider for SQL Server Remote Code Execution Vulnerability

 

Elevation of Privilege Vulnerabilities

CVE-2024-21304              Trusted Compute Base Elevation of Privilege Vulnerability

CVE-2024-21315              Microsoft Defender for Endpoint Protection Elevation of Privilege Vulnerability

CVE-2024-21329              Azure Connected Machine Agent Elevation of Privilege Vulnerability

CVE-2024-21338              Windows Kernel Elevation of Privilege Vulnerability

CVE-2024-21345              Windows Kernel Elevation of Privilege Vulnerability

CVE-2024-21346              Win32k Elevation of Privilege Vulnerability

CVE-2024-21354              Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability

CVE-2024-21355              Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability

CVE-2024-21364              Microsoft Azure Site Recovery Elevation of Privilege Vulnerability

CVE-2024-21371              Windows Kernel Elevation of Privilege Vulnerability

CVE-2024-21374              Microsoft Teams for Android Information Disclosure

CVE-2024-21397              Microsoft Azure File Sync Elevation of Privilege Vulnerability

CVE-2024-21401              Microsoft Entra Jira Single-Sign-On Plugin Elevation of Privilege Vulnerability

CVE-2024-21402              Microsoft Outlook Elevation of Privilege Vulnerability

CVE-2024-21403              Microsoft Azure Kubernetes Service Confidential Container Elevation of Privilege Vulnerability

CVE-2024-21405              Microsoft Message Queuing (MSMQ) Elevation of Privilege Vulnerability

CVE-2024-21410              Microsoft Exchange Server Elevation of Privilege Vulnerability

 

Denial of Service Vulnerabilities 

CVE-2024-20684              Windows Hyper-V Denial of Service Vulnerability

CVE-2024-21342              Windows DNS Client Denial of Service Vulnerability

CVE-2024-21343              Windows Network Address Translation (NAT) Denial of Service Vulnerability

CVE-2024-21344              Windows Network Address Translation (NAT) Denial of Service Vulnerability

CVE-2024-21348              Internet Connection Sharing (ICS) Denial of Service Vulnerability

CVE-2024-21356              Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability

CVE-2024-21386              .NET Denial of Service Vulnerability

CVE-2024-21404              .NET Denial of Service Vulnerability

 

Information Disclosure Vulnerabilities

CVE-2024-20695              Skype for Business Information Disclosure Vulnerability

CVE-2024-21340              Windows Kernel Information Disclosure Vulnerability

CVE-2024-21377              Windows DNS Information Disclosure Vulnerability

CVE-2024-21380              Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability

 

Spoofing Vulnerabilities 

CVE-2024-20679              Azure Stack Hub Spoofing Vulnerability

CVE-2024-21327              Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability

CVE-2024-21328              Dynamics 365 Sales Spoofing Vulnerability

CVE-2024-21381              Microsoft Azure Active Directory B2C Spoofing Vulnerability

CVE-2024-21389              Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

CVE-2024-21393              Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

CVE-2024-21394              Dynamics 365 Field Service Spoofing Vulnerability

CVE-2024-21395              Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

CVE-2024-21396              Dynamics 365 Sales Spoofing Vulnerability

CVE-2024-21406              Windows Printing Service Spoofing Vulnerability

 

Security Feature Bypass Vulnerabilities

CVE-2024-21351              Windows SmartScreen Security Feature Bypass Vulnerability

CVE-2024-21362              Windows Kernel Security Feature Bypass Vulnerability

CVE-2024-21412              Internet Shortcut Files Security Feature Bypass Vulnerability

Wessy Ransomware Bears Striking Similarities to Uransomware

/0 Comments/in /by

The SonicWall Capture Labs threat research team has been tracking ransomware that encrypts files and claims to charge only $100 for file retrieval.  It is written in .NET and obfuscated using Ezirizs .NET Reactor.  However, it is trivial to de-obfuscate and decompile by using open-source tools.  It is believed that this malware is from the same family as Uransomware (which we discussed in a previous blog post). Uransomware did not use obfuscation, but the code is very similar.

Infection Cycle

The code contains a region check which queries the current input language:

Figure 1: Query

A message box stating “Forbidden Country” is shown on the desktop if the specified region is detected and the program exits:

Figure 2: Forbidden Country message

If this region is not detected, the malware encrypts files on the system and appends “.wessy” to the filenames.

The code is obfuscated using software called Ezirizs .NET Reactor.  This is used to prevent disassembly of the malware and hinder reverse engineering:

Figure 3: Obfuscation

The obfuscation is easy to reverse by using an open-source tool called NETReactorSlayer by SychicBoy on GitHub.  A single command de-obfuscates the code and another single command using ILSpy decompiles it.  After this, the malware’s underlying functionality is revealed.

A ransom note is present in the deobfuscated code:

Figure 4: Ransom note

This message is written to READ_ME.txt:

Figure 5: READ_ME.txt

READ_ME.txt is dropped into all directories that contain encrypted files.

The following image is displayed on the desktop background:

Figure 6: Desktop background image

The malware contains a list of files to ignore:

Figure 7: List of files to ignore

The following file types are targeted for encryption:

Figure 8: Encryption targets

The malware contains a list of targeted directories:

Figure 9: Targeted directories

In order to disable system backups, the following applications are killed if they are running on the system:

Figure 10: Process kill list

The malware disables multiple system recovery measures:

Figure 11: Malware disabling recovery measures

We tried to reach out to the malware operator via the uTox address stated in the ransom note, but we received no reply.

SonicWall Protections

SonicWall Capture Labs protects against this threat via the following signature:

  • GAV: Wessy.RSM(Trojan)
This threat is also detected by SonicWall Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Ivanti Server-Side Request Forgery to Auth-Bypass

/0 Comments/in /by

Overview

Ivanti disclosed a couple more vulnerabilities — server-side request forgery (CVE-2024-21893) and a privilege escalation (CVE-2024-21888) vulnerability. This disclosure comes only a few weeks after confirming an exploit chain impacting Ivanti Connect Secure and Ivanti Policy Secure.  Ivanti has acknowledged that CVE-2024-21893 has impacted certain customers in targeted instances.

The SonicWall Capture Labs threat research team became aware of a server-side request forgery (SSRF) in Ivanti Connect Secure, Ivanti Policy Secure and ZTA gateways affecting all supported versions, including 9.x and 22.x. We assessed its impact and developed mitigation measures for the vulnerability. Since the previously disclosed vulnerabilities (CVE-2023-46805 and CVE-2024-21887) are already being exploited in the wild and under the scrutiny of threat actors, this SSRF vulnerability – a bypass to the previous mitigation – demands immediate action by upgrading the instances to the latest versions. The official patches have been released by Ivanti for all the vulnerabilities.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2024-21893.

The CVSS score is 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is none.
• User interaction is none.
• Scope is unchanged.
• Impact of this vulnerability on data confidentiality is high.
• Impact of this vulnerability on data integrity is low.
• Impact of this vulnerability on data availability is none.

Technical Overview

This vulnerability, an SSRF in the Security Assertion Markup Language (SAML) component of Ivanti products, is essentially a bypass of the mitigation for the original exploit chain. The threat actors can leverage CVE-2024-21893 to execute the original exploit chain involving CVE-2023-46805 and CVE-2024-21887 by circumventing the fix.

To understand the root cause, it is important to check the SAML endpoints, which do not require authentication as the vulnerability details indicate the privilege requirement is none. It is worth noting that the endpoint /dana-ws/saml20.ws can be accessed without authentication by examining the web server code provided by rapid7 as seen in Figure 1.

Figure 1: Web Server Code indicating unauthenticated endpoints, source: rapid7

Another piece of code, as seen in Figure 2, defining the function doDispatchRequest reveals that the unauthenticated http POST request targeting SAML endpoints /dana-ws/saml.ws, /dana-ws/saml20.ws, and /dana-ws/samlecp.ws are being sent to a service saml-server by doDispatchRequest. This request contains SOAP-based SAML components which are processed by saml-server and further transformed into an XML object by the function SoapHandler. Interestingly, the XML processing is being carried out by an outdated version 3.0.2 of external library called xmltooling, which in this context is vulnerable to the SSRF via a crafted KeyInfo element as mentioned in the CVE-2023-36661 description. This flaw can be leveraged to post an unauthenticated HTTP request containing malformed XML data to exploit underlying SSRF vulnerability in xmltooling as a means to circumvent the mitigation.

Figure 2: Code to process SAML requests, source: rapid7

Triggering the Vulnerability

Triggering this SSRF vulnerability requires a SOAP envelope to be sent to a SAML endpoint, preferably /dana-ws/saml20.ws which does not need authentication. The envelope includes a signature element which will be processed by the vulnerable xmltooling library. Furthermore, the signature contains a KeyInfo element, which can be exploited to SSRF according to an advisory published by the vendor Shibboleth. Additionally, the child element RetrievalMethod of KeyInfo let us access a remote resource using an HTTP GET request by specifying a URI in an attribute called URI, allowing a threat actor to insert an attack vector to exploit SSRF. For instance, the sample request in Figure 3 below can be used to send a request on behalf of the appliance.

Figure 3: Sample request to trigger SSRF

Exploitation

The HTTP request illustrated in Figure 3 can be converted into the pre-auth RCE by leveraging the command injection vulnerability (CVE-2024-21887) from the original exploit chain. The endpoint /api/v1/license/keys-status is one of the vulnerable endpoints which allows an attacker to inject commands using a simple GET request as illustrated in our previous blog post. Since the request is going to be originated from the same appliance, we can use localhost as a target IP to avoid the need for authentication. The plain request will look like the request below to yield a reverse shell back to an attacker’s machine.

Figure 4: Request

The above line needs to be URI decoded to get processed by the web server and replaced with the “Target URI” in the request shown in Figure 3, making the final request with the RCE payload look like  Figure 5 below.

Figure 5: Request to trigger RCE using SSRF

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signature has been released:

  • IPS:4266 Ivanti Connect Secure Server-Side Request Forgery
  • IPS:4268 Ivanti Connect Secure Server-Side Request Forgery 2

Remediation Recommendations

Considering the severe consequences of this vulnerability, the users of affected products are strongly encouraged to apply the patches as published in the vendor advisory.

Relevant Links

The SonicWall Partner Awards: Celebrating Partner Excellence in 2023

/0 Comments/in /by

2023 was a pivotal year for SonicWall. We spent a good part of the year working on how to better support our partners, and the result was an enhanced SecureFirst Partner Program, better enablement, and more. But even as we were doubling down on making our partners more successful, our partner community was continuing to drive our success.

This community of cybersecurity professionals has dedicated their career to protecting our customers with SonicWall solutions, helping to combat cybercrime and ensure business continuity for the customers and end users who depend on them as much as we do.

Award Criteria

Within this accomplished community is a small group of elite partners who have displayed uncommon excellence. For each of the 14 Partner Awards, we selected from a large pool of nominees, one partner per region, who demonstrated consistent excellence over the past year. These partners have delivered tremendous performance, comprehensive expertise and unsurpassed service. But they’ve also demonstrated dedication to the core principles that guide our business.

Last year, SonicWall rolled out our Ethos, declaring thatthe work we are doing makes the world better and provides a significant impact.” The 2024 SonicWall Partner Award recipients have demonstrated their dedication to the characteristics of caring, commitment, integrity, collaboration and expertise.

“For the past three decades, SonicWall has owed its success to the dedication of its esteemed partners and distributors,” SonicWall CEO and President Bob VanKirk said. “We’re extraordinarily grateful for our growing community of 17,000 partners and distributors. But above all, we’re grateful for the opportunity to honor those SonicWall SecureFirst partners who have exemplified our values and dedicated themselves to delivering world-class SonicWall security to organizations across the globe. Thank you for all you do.”

To see who won, head here!

SonicWall offers its heartiest congratulations to all award winners. Your effort and dedication are at the heart of all we do here at SonicWall, and we’re looking forward to another year of supporting your success and helping you grow your business!

This could be you next year! Join our SecureFirst partner program. We have 10 good reasons why you should consider joining our valued partner community.

4 Ways MDR Can Offer MSPs Greater Possibilities, Profitability and Peace of Mind

/0 Comments/in /by

It was repeated nightly on television for decades: “It’s 10 p.m. Do you know where your children are?” The goal was to get parents to double-check that their kids were back home for the evening before the youth curfews set in — all of which were based on the idea that nothing good happened past a certain hour.

We’ve observed the same in cybersecurity. More than three-quarters of the attacks we observe occur during off-hours, peaking in the wee hours of the morning. For the Managed Service Providers (MSPs) who breathe a sigh of relief each morning as they walk in to find all is well, a better question might be: “It’s 4 a.m. Do you know who’s responding to your alerts?”

A select few MSPs always know the answer to this question. They can rest easy, knowing that their customers’ networks are being monitored by a dedicated team of security experts—whether because they’ve taken on the considerable expense of building an in-house SOC, or because they’ve secured the services of a Managed Detection and Response (MDR) team.

MDR: Experts At Your Service

MSPs provide critical IT and security services to their customers. Because they tend to serve organizations that don’t have their own security teams, an MSP’s clients rely on them for effective security solutions.

However, the cyber threat landscape is constantly changing: New vulnerabilities emerge and bad actors use new tactics, techniques and procedures. How can an MSP bring more advanced security to their customers? Adding a Managed Detection and Response (MDR) service can help — not just by adding an additional layer of security, but also by making the job of the MSP easier.

What MDR Services Can Offer Your Business

Here are just four of the ways that offering MDR can benefit MSPs, particularly those who serve small- and medium-sized businesses:

  1. 24/7 SOC Monitoring Because bad actors notoriously prefer non-working hours and holidays to deploy attacks, security alerts from tools like endpoint detection often occur when no one is paying attention. Timing is also critical to responding to attacks; minutes can make the difference between a minor annoying alert and a major security incident. Most MSPs simply don’t have the resources to monitor alerts around the clock. MDR solutions, like SonicWall’s, offers 24/7 monitoring — ensuring that no alert is missed, no matter when it comes in. This allows for more immediate response and better overall security for both the MSP and their customers.
  2. Expert Behavioral Analysis MSPs typically cover a wide range of IT duties — everything from provisioning laptops to deploying business software and managing networking. Not every MSP has deep knowledge of the ever-evolving cyber threat landscape, and even if they do, they’re often already spread thin with other tasks. Unfortunately for MSPs hoping to grow their business, adding the experts needed to uplevel their cybersecurity offerings isn’t always as easy as increasing headcount. It’s no secret that there’s a cybersecurity talent shortage; the jobs requiring skilled cybersecurity talent far outnumber the people who are qualified. Even if an MSP has the resources to hire threat analysts and build a SOC team, they often find the hiring process frustrating, not to mention expensive. SonicWall’s 24/7 SOC, powered by Solutions Granted, is staffed by experts who apply logic and behavioral analysis to security alerts. They recognize alerts that are especially relevant, what threat actor or type of attack they may indicate, and ways to help the MSP take immediate defensive action accordingly.
  3. Reduce Alert Fatigue Security tools like antivirus and endpoint detection can throw an awful lot of alerts, and not all of them are truly urgent. Amid this cacophony of alerts, it can be easy to miss the ones that are actually important and need to be addressed — especially for MSPs, who may already be busy with anything from meeting with new customers to troubleshooting a printer. Trusting the SOC experts behind SonicWall’s MDR service can reduce this alert fatigue. Because the SOC does all the monitoring, notifying the MSP when an alert needs a specific action, your team no longer needs to worry about reading every single alert — only the ones that truly need your attention.
  4. Advanced Security for SMB Clients Many MSPs serve small- and medium-sized businesses, who also don’t have their own security teams. While it’s easy to think that some companies are simply too small to be a target of cyberattacks, any organization that uses internet-connected tools is at risk — in fact, some cybercriminals intentionally target SMBs, believing (often correctly) that they’re less well-protected. Businesses who contract with larger enterprises often make particularly attractive targets; attackers zero in on these businesses, hoping for a means of access to their larger enterprise partners as part of a supply chain attack. By offering MDR services, MSPs serving the SMB market can bring their customers the benefits of cyber threat intelligence, advanced threat analytics and threat mitigation they may not have access to otherwise. This tremendous benefit means these SMBs are able to be proactive about their cybersecurity, and the MSP is able to drive continued value for the customer.

SonicWall recently acquired Solutions Granted, an award-winning MSSP offering MDR services, and we’re excited to announce that SonicWall MDR is now available. SonicWall and Solutions Granted both have long histories of empowering MSPs to serve their clients effectively and efficiently with tailored solutions. As part of SonicWall, the Solutions Granted team will continue defending the defenders as part of a company leading the way in empowering MSPs.

Best of all, SonicWall’s MDR offering is easy for MSPs to access. There are no annual contracts or long-term commitments required, and there are no minimums. Whether you’re supporting a hundred endpoints or ten thousand, it’s easy to bring this security advantage to your customers, and you can scale up or down with your business needs. You and your customers can all rest easy with the knowledge that, whether it’s 10 p.m., 4 a.m. or any other time, you’ll always know who’s responding to your alerts.

Ready to learn more about how SonicWall can bring all the benefits of MDR to your clients? Contact us today!

Jenkins CLI Data Leak Vulnerability

/0 Comments/in /by

Overview

The SonicWall Capture Labs threat research team became aware of the Jenkins CLI (command-line-interface) arbitrary file read vulnerability, assessed its impact and developed mitigation measures for the vulnerability.

Jenkins is a Java-based automation tool that facilitates continuous integration/continuous delivery and deployment (CI/CD). Recently, an arbitrary file read vulnerability has been identified in Jenkins, specifically affecting its command-line interface (CLI). The flaw arises due to a feature in the Jenkins CLI command parser that improperly handles the ‘@’ character followed by a file path in an argument, resulting in disclosing the first few lines of the file. Consequently, a remote attacker without any privileges could potentially exploit this vulnerability by crafting a command that takes an arbitrary number of arguments and displays these back to the user. If exploited successfully, this vulnerability could grant the attacker unauthenticated access with no permissions (i.e. the default Jenkins install) and can leak the first couple of lines of arbitrary text files on a vulnerable Jenkins server.

Product Versions Impacted

  • Jenkins versions 2.441 and below
  • LTS 2.426.3 and below

CVE Details

This security issue has been formally acknowledged and indexed in the Common Vulnerabilities and Exposures (CVE) system, explicitly identified as CVE-2023-23897.

As per NIST NVD CVE, CVE-2023-23897 is still undergoing analysis and therefore there has been no defined CVSS score for this vulnerability as of yet. Although, based on the proof of concept (PoC), some references could be made. It has a network-based attack vector, meaning the vulnerability can be exploited remotely, and its attack complexity is low, suggesting minimal effort is required for exploitation. It necessitates no special privileges, increasing its potential reach, and it doesn’t require user interaction, enhancing its stealth and potential for unnoticed exploitation.

Technical Overview

A severe flaw highlighted as an arbitrary file read vulnerability has been reported in Jenkins instances, attributed to how Jenkins CLI uses the args4j library to parse command arguments and options. args4j is a small Java class library that makes it easy to parse command line options/arguments in your CUI application. The CLI is enabled by default in all possible Jenkins deployments. Jenkins is widely deployed, with tens of thousands of public-facing installs, and the Jenkins advisory was clear that this vulnerability could lead to remote code execution. When a user supplies certain arguments to the CLI of the vulnerable Jenkins servers, it misinterprets those arguments, specifically those starting with ’@’,  and in the resulting output, some lines of the file are echo’d back as part of error messages. This leads to a data leak vulnerability from arbitrary file read to remote code execution on the Jenkins controller file system using the default character encoding of the Jenkins controller process. Surprisingly, attackers without Overall/Read permission can read the first few lines of files and those with full permissions can read entire files. The number of lines that can be read depends on available CLI commands.

This data leak vulnerability could also be used to read binary files with cryptographic keys. There are various Jenkins features such as the “Remember me” cookie, build logs and resource root URLs that may lead to remote code execution by exploiting this vulnerability.

Some Jenkins’ features make this vulnerability easier to exploit. As shown in the figure below, the “Allow users to sign up” option allows anyone with access to the Jenkins server to self-register an account. And the “Allow anonymous read access” option gives any random user the Overall/Read permission.

Figure 1: Jenkins Controller File System Security Permissions

Exploitation with CVE-2024-23897

Args4j is a Java class library that makes it easy to parse command line options/arguments in CLI applications using annotations, and it generates usage text easily. The command line interface can be accessed over SSH or with the Jenkins CLI client – a .jar file distributed with Jenkins. In the patched Jenkins version, this SSH service is disabled by default and requires added authentication to get read permissions from the administrator.

While exploiting this vulnerability, the crucial part is to know the version of the live Jenkins instance. A simple curl request to a Jenkins deployment readily discloses its version in a header named “X-Jenkins”. This makes it easy to determine whether the Jenkins server is susceptible to this specific vulnerability.

Figure 2: A simple curl request to Jenkins Server

In the vulnerable Jenkins versions, an unauthenticated user is allowed to read a few lines (three lines) that do not have Overall/Read permissions at all. Even with this limitation, an attacker can achieve remote code execution and can decrypt secret keys. Using a specific command with “jenkins-cli.jar”, an unauthenticated attacker can disclose sensitive information. Here are a few examples:

Figure 3: Examples

Figure 4: Exploiting CVE-2024-23897

PoCs have been made public and could be readily used by attackers to leverage vulnerable Jenkins servers. Multiple reports suggest that Jenkins is being exploited in the wild.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS:4251 Jenkins CLI Arbitrary File Read

Remediation Recommendations

The risks posed by this vulnerability can be mitigated or eliminated by:

  • Applying the vendor-supplied patch to eliminate this vulnerability
  • Utilizing up-to-date IPS signatures to filter network traffic
  • Configuring the vulnerable product to allow access to trusted clients only

According to the Jenkins advisory, Jenkins 2.442, LTS 2.426.3 disables the command parser feature that replaces an ‘@’ character followed by a file path in an argument with the file’s contents for CLI commands. In another workaround, Jenkins suggests restricting access to CLI until the patch is applied to live instances.

Relevant Links

Vendor Advisory

NIST NVD CVE

SECURITY-3314-3315

Packetstrom Security

Github

Medium

Blackwood APT Group Has a New DLL Loader

/0 Comments/in /by

Overview

This week, the SonicWall Capture Labs threat research team analyzed a sample tied to the Blackwood APT group. This is a DLL that, when loaded onto a victim’s computer, will escalate privileges and attempt to install a backdoor for communications monitoring and diversion. It has evasive capabilities and, as of this writing, is targeting companies and individuals in Japan and China.

Technical Overview

The sample is detected as a 32-bit DLL (Figure 1) with no packer or protector. It has minimal strings and no obvious obfuscation or encryption.

Figure 1: Sample detection

Strings show several API calls of concern, including GetCurrentProcessID, OpenProcess and VirtualAlloc – all of which are used to load malicious DLLs into memory. There are also two files listed: ‘333333333333333.txt’ and ‘Update.ini’, as shown in Figure 2.

Figure 2: Static string detection

The name of the file is shown as ‘agent.dll’ (Figure 3) and there is one anonymous export that is only shown as an ordinal value when looking at the file with multiple tools.

Figure 3: Original name and anonymous export

When dynamically analyzing the sample, it has multiple anti-analysis capabilities that prevent most of its function from being observed. It will look for debuggers, processor features and security settings in the registry (Figure 3). There are also locale checks that, when failed, will kill the process.

Figure 4: WMI registry keys being queried for security checks

The anonymous export at address 0x10001A70 is the file calling ‘Rundll32.exe’ for process injection, as shown in Figure 5.

Figure 5: Export address calls sub_10001990, which creates ‘rundll32.exe’

Controlling the program’s execution allows the check for a UAC bypass to be generated. The DLL will attempt to escalate privileges via CMSTPLUA interface[1]. The following strings are created, as shown in Figures 5 and 6:

  • Elevation:Administrator!new:{FCC74B77-EC3E-4DD8-A80B-008A702075A9}
  • Elevation:Administrator!new:{F885120E-3789-4FD9-865E-DC9B4A6412D2}

[1] https://gist.github.com/hfiref0x/196af729106b780db1c73428b5a5d68d

Figures 6 (top) and 7 (bottom): A function creates GUIDs for privilege escalation

The two files that are listed within the strings are also referenced during runtime (Figure 7), but despite multiple attempts at controlling execution, the files were not observed on test systems.

Figure 8: Update.ini is referenced but never created

Protection

To ensure SonicWall customers are prepared for any exposure that may occur due to this malware, the following signatures have been released:

  • MalAgent.Blackwood

IOCs

  • 72B81424D6235F17B3FC393958481E0316C63CA7AB9907914B5A737BA1AD2374

SonicWall and Aruba: Network Defense BFFs (Boosted, Fortified, Flexible)

/0 Comments/in /by

As flexible and efficient network topologies become the norm, one of the key challenges we grapple with is ensuring security and control in a mobile-first environment. Figuring out how to effectively coordinate between networking and security architectures to establish centralized policies involves considering both wired and wireless connections. These policies need to be duly enforced, regardless of wherever and whenever devices and users establish a connection.

Determining what measures should be undertaken if a genuine user or device gets compromised post-connection is another concern — no networked environment is entirely immune to this threat.

To add complexity to an already complicated problem, organizations are constantly confronting new issues due to the ever-increasing number of headless machines and IoT devices being added to the IT landscape — many of which present novel pathways requiring cautious oversight.

Aruba ClearPass is a solution designed to manage network access control and policies. Its capabilities go beyond the traditional boundaries, covering network access on both wired and wireless terrains as well as BYOD and IoT/OT mechanisms. It not only enables secure network access, but also accelerates threat response time.

When this cybersecurity game-changer teams up with SonicWall firewalls, the result is a potent, integrated solution that bolsters your network security, preventing cyberattacks and leveraging smart automation.

Within this feature-rich offering, Aruba ClearPass Secure Network Access Control (NAC) shines with its real-time user-to-device mapping and comprehensive device health checkups. It harnesses next-generation firewall (NGFW) policies and rules to detect even the smallest shifts in user or device behavior — changes which often suggest a rogue insider.

In addition to establishing superior visibility into IoT and corporate devices on the network, this joint solution allows you to regulate firewall policies and application access. With user identity and device security posture in mind, it adds another layer of protection to your network environment.

Why Aruba and SonicWall?

By implementing comprehensive and adaptive rules and policies, the combination of SonicWall and Aruba greatly increases your digital protection and your peace of mind. Here’s how:

Device and User Context Awareness

SonicWall NGFWs consider enhanced user and device contexts by recognizing different roles, assessing the health status of each device, and more. The result is a personalized, foolproof shield against any unwanted traffic.

Threat Protection

The system doesn’t just stop rogue traffic — it goes the extra mile to defend network users from threats like phishing, malware, and other sophisticated exploits that could breach your network.

Single-Policy Authorization

SonicWall and Aruba prevent unwanted access by enforcing a single policy, extending our authorization and enforcement across both wired and wireless networks.

Proactive Attack Detection

ClearPass and SonicWall NGFWs work together to provide a proactive, closed-loop attack detection mechanism, reinforcing your digital fortifications. Unusual activity is promptly escalated, triggering a policy-based response to stop the breach.

How Does It Work?

Aruba ClearPass provides total visibility of connected and connecting users, as well as devices in wired and wireless multi-vendor environments. SonicWall NGFWs provide restful threat API, which integrates with Aruba ClearPass as network access control.

Using the restful API, ClearPass can pass security context vectors — including Source IP, Source MAC, User ID, User Role, Domain, Device Category, Device Family, Device Name, OS Type, Hostname and Health Posture — to SonicWall NGFWs. The firewalls then enforce real-time rules based on device type, OS and device health posture at every point of control.

When an alert is generated on a client machine, ClearPass can send it to the SonicWall NGFW, triggering a range of predetermined and policy-based actions, from quarantine to blocking. This seamless, automated enforcement can help prevent one compromised machine from becoming a thousand.

USE CASE: STOP UNAUTHORIZED ACCESS AND SECURE USE OF BYOD/IoT

As remote work and BYOD policies become more common, devices not owned by the business will increasingly have access to corporate data, systems, and services. And while IoT devices can bring significant benefits to businesses and their employees, they also introduce major security issues, making them common targets for cybercriminals.

Aruba ClearPass and SonicWall NGFWs work together to prevent unauthorized access. They profile client devices detected on the corporate network, offering complete visibility of connected and connecting users in both wired and wireless environments. The NGFW utilizes user and device profiling data to determine access rights and restrict access to corporate assets, decreasing the impact of a compromised device.

USE CASE: ROLE-BASED NETWORK ADMISSION AND CONTROL

Today’s workplaces are constantly connected to the Internet. While this has drastically increased efficiency, it poses a threat to data privacy. Users can easily access and download inappropriate or risky content from the corporate network, often without knowing the potential risks involved. This increases risks to organizations’ intellectual property and application data.

Aruba ClearPass works with SonicWall NGFWs to enable granular access control and visibility into corporate user profiles and taking action via the SonicWall firewall if a user’s machine is infected. Any detected anomalies will trigger a range of predetermined policy-based actions, such as quarantine or blocking, to protect the rest of the network.

CERTIFIED INTEROPERABLE

Aruba and SonicWall have taken the guesswork out of security by turning static security into contextual security, resulting in more advanced and flexible protection. Setup is simple, requiring only a wireless PC with the ClearPass OnGuard app installed, an Aruba access point, Aruba Mobile Network Controller, ClearPass CPPM service and a SonicWall firewall.

SUMMARY

SonicWall has been successfully securing networks for more than 30 years — and Aruba’s secure infrastructure is the ideal way to support proven SonicWall firewalls in applications of any size. Contact us to learn more about how Aruba and SonicWall can deliver your network a cost-effective predictive maintenance solution.

Ivanti Authentication Bypass Vulnerability

/0 Comments/in /by

Overview

The SonicWall Capture Labs threat research team became aware of the Ivanti Connect Secure and Policy Secure Gateway authentication bypass vulnerability, assessed its impact and developed mitigation measures for the vulnerability.

Ivanti Connect Secure, formerly known as Pulse Connect Secure, is an SSL VPN (Virtual Private Network) solution designed to enable remote and mobile users to access corporate networks securely from any web-enabled device. Recently, an authentication bypass vulnerability has been identified in both Ivanti Connect Secure and Ivanti Policy Secure Gateways. This security flaw arises from insufficient validation of HTTP request paths within the software. Consequently, a remote attacker could potentially exploit this vulnerability by crafting a malicious HTTP request directed at the target server. If exploited successfully, this vulnerability could grant the attacker unauthenticated access to otherwise secure, authenticated web endpoints, posing a significant security risk to affected systems.

Product Versions Impacted

The list below concisely summarizes the Common Platform Enumeration (CPE) entries for Ivanti’s Connect Secure and Policy Secure products. It encompasses a range of versions and revisions, highlighting the extensive variety within the product lineup. The versions impacted are as follows:

  • Ivanti Connect Secure:
    • Version 9.0: Base, – , r1 – r6, r2.1, r3 – r3.5, r4 – r4.1, r5.0, r6.0
    • Version 9.1: r1, r10 – r11.5, r12 – r12.1, r13 – r13.1, r14, r15 – r15.2, r16 – r16.1, r17 – r17.1, r18, r2 – r4.3, r5 – r9.1
    • Version 22.1: r1, r6
    • Version 22.2: -, r1
    • Version 22.3: r1
    • Version 22.4: r1, r2.1
    • Version 22.5: r2.1
    • Version 22.6: -, r1, r2
  • Ivanti Policy Secure:
    • Version 9.0: Base, – , r1 – r4
    • Version 9.1: r1, r10 – r11, r12 – r13.1, r14, r15 – r16, r17 – r18, r2 – r4.2, r5 – r9.1
    • Version 22.1: r1, r6
    • Version 22.2: r1, r3
    • Version 22.3: r1, r3
    • Version 22.4: r1, r2, r2.1
    • Version 22.5: r1, r2.1
    • Version 22.6: r1

Each entry is formatted as “Version: Revision(s)”, where “-” indicates the base version and specific revisions are listed thereafter.

CVE Details

This security issue has been formally acknowledged and indexed in the Common Vulnerabilities and Exposures (CVE) system, explicitly identified as CVE-2023-46805 and CVE-2024-21887.

CVE-2023-46805 carries an overall CVSS score of 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), highlighting its high severity. The score’s detailed composition indicates the vulnerability’s attributes and potential repercussions. It has a network-based attack vector, meaning the vulnerability can be exploited remotely, and its attack complexity is low, suggesting minimal effort is required for exploitation. It necessitates no special privileges, increasing its potential reach, and it doesn’t require user interaction, enhancing its stealth and potential for unnoticed exploitation. Although the scope of the attack is unchanged, the vulnerability critically endangers data confidentiality, implying a significant risk of sensitive data exposure. However, its impact on data integrity is low, and it does not affect data availability, suggesting that unauthorized data disclosure is more likely than data alteration or service disruption.

Contrastingly, CVE-2024-21887 presents an even more critical threat, evidenced by its CVSS score of 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). While this vulnerability shares certain characteristics with CVE-2023-46805 — such as a network-based attack vector and low attack complexity — it differs notably in its requirement for high privileges, indicating it affects more protected or sensitive areas. Like its counterpart, it operates covertly without user interaction. However, this vulnerability’s scope is classified as changed, hinting at a broader, more systemic impact. Its high ratings across confidentiality, integrity and availability underscore its potential for extensive harm, allowing attackers not only to access and modify sensitive data but also to significantly disrupt dependent services or applications.

Technical Overview

An alarming authentication bypass vulnerability has been reported in Ivanti Connect Secure, attributed to superficial access checks on the unnormalized Request-URI in the web process. This flaw is notably present in Ivanti Connect Secure (versions 9.x, 22.x) and Ivanti Policy Secure, where a specifically crafted request with a Request-URI beginning with vulnerable paths such as “/api/v1/totp/user-backup-code/” or “/api/v1/cav/” can evade standard authentication protocols. This vulnerability arises due to the web process’s reliance on a vulnerable function that conducts basic string comparisons against predefined prefixes, allowing requests that match these paths to bypass authentication checks. The exploit hinges on manipulating the Request-URI, incorporating parent reference segments (e.g., “../”) to pivot to endpoints normally safeguarded by authentication. However, the exploit’s scope is somewhat contained due to session checks and the limited distribution of the REST API, restricting accessible endpoints to those managed by the receiving WSGI (Web Server Gateway Interface) process.

Further probing into the system’s architecture revealed a critical loophole in a custom web server developed in C++, integral to managing all incoming HTTPS requests and closely associated with Perl-based CGI scripts and the REST API. Situated within the system’s binary structure at ics_disk1/root/home/bin/web, this server serves not only as a gateway for HTTPS requests but also plays a pivotal role in the REST API’s functionality. Acting as a proxy, the server directs requests to the API as necessary, focusing heavily on authentication enforcement. However, the authentication mechanism is compromised by the server’s flawed URI processing method, which employs a strncmp function for path validation. This function’s limitation to checking only a set number of initial characters in the path creates a significant security gap. By crafting a path (see Figure 1) that initiates with a vulnerable endpoint and appending additional characters, attackers can navigate around the authentication, gaining unauthorized access to sensitive resources and functions within the system. This discovery underscores the urgency for a comprehensive overhaul of the security measures, particularly the methods for URI path validation and processing.

Figure 1: Example GET Request Path

Triggering the Vulnerability

The vulnerability in Ivanti Connect Secure related to authentication bypass can be triggered under certain conditions. Here are four key scenarios or factors that can lead to the exploitation of this vulnerability:

  • Unnormalized Request-URIs: The vulnerability is exploited by sending a request with a Request-URI that starts with specific paths and has not been normalized, allowing the attacker to circumvent the expected URL structure and access controls.
  • Prefix Matching in URL Paths: The web process performs shallow checks by comparing the raw Request-URI against a list of vulnerable prefixes. If the Request-URI matches one of the known vulnerable paths, such as “/api/v1/totp/user-backup-code/” or “/api/v1/cav/”, the request is allowed to pass through without proper authentication.
  • Use of Directory Traversal Techniques: The attacker can employ directory traversal techniques using “../” notation in the Request-URI. This allows the attacker to pivot from the allowed prefix to another endpoint that normally requires authentication, effectively bypassing the access control checks.
  • Limited Endpoint Scope Due to Distributed REST API: While the vulnerability allows pivoting to different endpoints, the scope of accessible endpoints is limited to those implemented by the receiving WSGI process. However, this still poses a significant risk as it exposes certain endpoints of the REST API to unauthenticated access.

Exploitation with CVE-2024-21887

Developed with Flask, a Python-based, lightweight, and flexible web framework, a Flask application simplifies starting and scales up to complex commercial sites, providing an array of tools, libraries, and technologies. Despite its benefits, Flask applications can exhibit vulnerabilities, such as the command injection flaw in the License class of restservice/api/resources/license.py which manages requests for the /api/v1/license/keys-status endpoint. This vulnerability arises from the get method’s improper concatenation of command strings, especially when handling the node_name parameter, enabling attackers to execute arbitrary commands via subprocess.Popen.

Leveraging Flask’s automatic mapping of URL endpoints to function parameters, attackers can send crafted GET requests to redirect to vulnerable endpoints with command injection payloads, with URL encoding complicating the attack by allowing the transmission of intricate payloads. Although these vulnerabilities present substantial security risks, it is notable that vendor-supplied mitigations effectively counteract these exploits. Notably, this vulnerability allows attackers to achieve unauthenticated command injection by sending a GET request to the following URI path where CMD is any arbitrary Linux OS (Operating System) command, presenting a significant security concern.

Figure 2: URI path

Figure 3: Python Source Code for Arbitrary Linux OS Reverse Shell

Given the scenario of exploiting a command injection vulnerability (Figure 5) at the endpoint seen in Figure 4.

Figure 4: Endpoint

Figure 5: Reverse Shell URI Path

This one-liner Python command (Figure 5) is crafted to establish a reverse shell from the target server to the attacker’s machine. This command, when appended to the vulnerable endpoint, would be executed on the server due to the vulnerability. The Python script, starting with a semicolon to signify the end of a previous command, is a compact and potent snippet designed to create a socket connection back to the attacker’s machine (at IP address 192.168.2.200 and port 5555).

Once the connection is established, it spawns a shell and redirects the shell’s standard input, output and error streams to the socket, effectively tying the shell to the attacker’s console.

This provides the attacker with interactive control over the shell on the target machine. However, for this command to be successfully processed and interpreted by the web server and not get blocked by URL parsing mechanisms, it must be URL-encoded before being sent in the GET request to the vulnerable endpoint. URL encoding transforms potentially unsafe ASCII characters into a format that can be transmitted over the internet, ensuring the payload is delivered intact to the server for execution

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS:4234 Ivanti Connect Secure Authentication Bypass
  • IPS:19611 Ivanti Connect Secure Command Injection 1
  • IPS:19612 Ivanti Connect Secure Command Injection 2

Remediation Recommendations

The risks posed by this vulnerability can be mitigated or eliminated by:

  • Applying the vendor-supplied patch to eliminate this vulnerability.
  • Utilizing up to date IPS signatures to filter network traffic.
  • Configure the vulnerable product to allow access to trusted clients only.

Relevant Links

Vendor Advisory

NIST NVD CVE

Packetstrom Security

CWE-287

Related KB Article

NIST CVSS Calculator Score

Python Reverse Shells

Step Up Your Security with SonicOS 7.1.1

/0 Comments/in /by

With the modern threat landscape growing more complex by the day, it’s imperative for organizations to spend their money on solutions that work—not just against the threats of today, but also to meet the challenges of tomorrow.

That’s why SonicWall is continuously improving its products and services, most recently with enhancements to our operating system. SonicOS 7 is at the core of all SonicWall next-generation firewalls (NGFWs), from the TZ Series to the NSsp Series — and these improvements are designed to offer the same trusted security while also integrating seamlessly with other platforms.

Here are some of the security advancements introduced with SonicOS 7.1.1:

Superior Threat Protection:

  • New CFS 5.0 engine ​
  • Advanced DNS filtering​
  • Virtual TPM​
  • Shell Revocation​
  • Tamper-Free Filesystem​
  • Hardened OS with newtoolchain
  • Improved console application​
  • Maintenance key for bothvirtual and hardware firewalls.

Use Cases and Business Requirements:

Features Use Cases Business Outcome
NAC integration, offering synergy between SonicWall and Aruba solutions and providing health posture telemetry Need to apply enhanced user and device context (including role, device health and more) to NGFW rules and policies for protection against unsanctioned traffic

Need to protect users on the network from threats like malware, exploits and phishing

Need to enable closed-loop attack detection via next-generation firewall and policy-based response with ClearPass

Need to block unauthorized users and devices by implementing a single policy of authorization and enforcement for users and IoT devices across wired and wireless networks, up to the application level

 Enable enterprises and educational segments to integrate with their Aruba solutions and get more value on Gen7 with health posture
DNS security that enables blocking websites at the DNS layer without enabling TLS/SSL decryption Block bad websites at the DNS layer without enabling TLS decryption and adding more hits to performance

MSP – Enables DNS protection to help customers avoid malicious domains

ISP – Protects ISPs from DoS and DDoS attacks

Enterprises – Offers a faster way to protect users while not affecting end user performance

K-12 – Provides safe browsing experiences for students and staff and keeps control of what domains they are accessing

Government – Keeps the systems away from malware and bad actors

 Delivers enterprise-level security to motivate customers to transition to Gen7 seamlessly
Stronger content filtering solution with additional categories and reputation-based filtering​ Web filtering gateways need to be told which websites are malicious or undesirable

Users could take a series of static lists of known bad URLs and IPs and join them together to try to block malicious websites. However, static lists can’t keep up with websites and IPs whose status switches from benign to malicious and back very quickly

 Improved content filtering capabilities for Gen7, resulting in fewer inaccurately rated websites/URLs
Security improvements, virtual TPM and enhanced security Users need both the OS and underlying kernel to be secure Provides additional layer of security with improved performance

While there are many use cases for each of these enhancements, here’s a closer look at just a few:

DNS Filtering:

DNS filtering – sometimes called advanced DNS Security – is the process of using the Domain Name System to block malicious websites and block risky and/or inappropriate content. This helps ensure that the organization’s data remains secure and allows them to have control over what their employees and contractors can access within and outside their network.

Let’s consider a case where an employee receives a phishing email and is tricked into clicking a malicious website link. Before the employee’s system loads the website, it sends a query to the network’s DNS resolving service, which uses DNS filtering rules. If that malicious website is on the blocklist, the DNS resolver will block the request, preventing the bad website from loading and foiling the phishing attack.

CFS 5.0:

CFS 5.0 is the latest content filtering technology for SonicOS 7.1.1. It introduces reputation-based content filtering, which filters URLs by reputation and blocks certain URLs based on what the URL is known for. Reputation-based filtering allows users to visit “safe” websites that don’t pose a security risk to users or the organization while safeguarding against those that could pose a danger.

Key changes for CFS 5.0 include:

  • Web category extension (64 to 93)​
  • Reputation-based filtering
  • UI enhancements​ for a better user experience
  • Performance improvements in the backend

NAC Integration with Aruba ClearPass:

SonicOS 7.1.1 provides restful threat API to support the integration of Aruba ClearPass with SonicWall NGFWs. ​

With integrated Network Access Control (NAC), ClearPass can pass security context vectors including source-ip, source-mac, user-id, user-role, domain, device-category, device-family, device-name, os-type, hostname and health-posture to SonicWall solutions to build policies for mitigation actions. ​

This architecture will turn static security into contextual security, providing relevant details about what is traversing across the network/environment.

Virtual TPM and underlying Kernel Security Enhancements:

With the Virtual Trusted Platform Module (vTPM) feature, users can add a TPM 2.0 virtual crypto processor to a virtual machine. A vTPM is a software-based representation of a physical Trusted Platform Module 2.0 chip. A vTPM acts as any other virtual device, helping to secure virtual machines including the SonicWall NSv Series NGFWs.

Secure with Confidence

These are just a few of the security-enhancing benefits that come with running SonicOS 7.1.1. With this update, you get all of these new features alongside Capture Advanced Threat Protection and our patented Real-Time Deep Memory Inspection (RTDMI™). SonicOS 7.1.1 provides peace of mind and confidence in your network security that you won’t get everywhere else — all at a value you can’t get anywhere else.

For a more detailed breakdown, check out our SonicOS 7.1.1 datasheet.