SonicWall and Aruba: Network Defense BFFs (Boosted, Fortified, Flexible)

/0 Comments/in /by

As flexible and efficient network topologies become the norm, one of the key challenges we grapple with is ensuring security and control in a mobile-first environment. Figuring out how to effectively coordinate between networking and security architectures to establish centralized policies involves considering both wired and wireless connections. These policies need to be duly enforced, regardless of wherever and whenever devices and users establish a connection.

Determining what measures should be undertaken if a genuine user or device gets compromised post-connection is another concern — no networked environment is entirely immune to this threat.

To add complexity to an already complicated problem, organizations are constantly confronting new issues due to the ever-increasing number of headless machines and IoT devices being added to the IT landscape — many of which present novel pathways requiring cautious oversight.

Aruba ClearPass is a solution designed to manage network access control and policies. Its capabilities go beyond the traditional boundaries, covering network access on both wired and wireless terrains as well as BYOD and IoT/OT mechanisms. It not only enables secure network access, but also accelerates threat response time.

When this cybersecurity game-changer teams up with SonicWall firewalls, the result is a potent, integrated solution that bolsters your network security, preventing cyberattacks and leveraging smart automation.

Within this feature-rich offering, Aruba ClearPass Secure Network Access Control (NAC) shines with its real-time user-to-device mapping and comprehensive device health checkups. It harnesses next-generation firewall (NGFW) policies and rules to detect even the smallest shifts in user or device behavior — changes which often suggest a rogue insider.

In addition to establishing superior visibility into IoT and corporate devices on the network, this joint solution allows you to regulate firewall policies and application access. With user identity and device security posture in mind, it adds another layer of protection to your network environment.

Why Aruba and SonicWall?

By implementing comprehensive and adaptive rules and policies, the combination of SonicWall and Aruba greatly increases your digital protection and your peace of mind. Here’s how:

Device and User Context Awareness

SonicWall NGFWs consider enhanced user and device contexts by recognizing different roles, assessing the health status of each device, and more. The result is a personalized, foolproof shield against any unwanted traffic.

Threat Protection

The system doesn’t just stop rogue traffic — it goes the extra mile to defend network users from threats like phishing, malware, and other sophisticated exploits that could breach your network.

Single-Policy Authorization

SonicWall and Aruba prevent unwanted access by enforcing a single policy, extending our authorization and enforcement across both wired and wireless networks.

Proactive Attack Detection

ClearPass and SonicWall NGFWs work together to provide a proactive, closed-loop attack detection mechanism, reinforcing your digital fortifications. Unusual activity is promptly escalated, triggering a policy-based response to stop the breach.

How Does It Work?

Aruba ClearPass provides total visibility of connected and connecting users, as well as devices in wired and wireless multi-vendor environments. SonicWall NGFWs provide restful threat API, which integrates with Aruba ClearPass as network access control.

Using the restful API, ClearPass can pass security context vectors — including Source IP, Source MAC, User ID, User Role, Domain, Device Category, Device Family, Device Name, OS Type, Hostname and Health Posture — to SonicWall NGFWs. The firewalls then enforce real-time rules based on device type, OS and device health posture at every point of control.

When an alert is generated on a client machine, ClearPass can send it to the SonicWall NGFW, triggering a range of predetermined and policy-based actions, from quarantine to blocking. This seamless, automated enforcement can help prevent one compromised machine from becoming a thousand.

USE CASE: STOP UNAUTHORIZED ACCESS AND SECURE USE OF BYOD/IoT

As remote work and BYOD policies become more common, devices not owned by the business will increasingly have access to corporate data, systems, and services. And while IoT devices can bring significant benefits to businesses and their employees, they also introduce major security issues, making them common targets for cybercriminals.

Aruba ClearPass and SonicWall NGFWs work together to prevent unauthorized access. They profile client devices detected on the corporate network, offering complete visibility of connected and connecting users in both wired and wireless environments. The NGFW utilizes user and device profiling data to determine access rights and restrict access to corporate assets, decreasing the impact of a compromised device.

USE CASE: ROLE-BASED NETWORK ADMISSION AND CONTROL

Today’s workplaces are constantly connected to the Internet. While this has drastically increased efficiency, it poses a threat to data privacy. Users can easily access and download inappropriate or risky content from the corporate network, often without knowing the potential risks involved. This increases risks to organizations’ intellectual property and application data.

Aruba ClearPass works with SonicWall NGFWs to enable granular access control and visibility into corporate user profiles and taking action via the SonicWall firewall if a user’s machine is infected. Any detected anomalies will trigger a range of predetermined policy-based actions, such as quarantine or blocking, to protect the rest of the network.

CERTIFIED INTEROPERABLE

Aruba and SonicWall have taken the guesswork out of security by turning static security into contextual security, resulting in more advanced and flexible protection. Setup is simple, requiring only a wireless PC with the ClearPass OnGuard app installed, an Aruba access point, Aruba Mobile Network Controller, ClearPass CPPM service and a SonicWall firewall.

SUMMARY

SonicWall has been successfully securing networks for more than 30 years — and Aruba’s secure infrastructure is the ideal way to support proven SonicWall firewalls in applications of any size. Contact us to learn more about how Aruba and SonicWall can deliver your network a cost-effective predictive maintenance solution.

Ivanti Authentication Bypass Vulnerability

/0 Comments/in /by

Overview

The SonicWall Capture Labs threat research team became aware of the Ivanti Connect Secure and Policy Secure Gateway authentication bypass vulnerability, assessed its impact and developed mitigation measures for the vulnerability.

Ivanti Connect Secure, formerly known as Pulse Connect Secure, is an SSL VPN (Virtual Private Network) solution designed to enable remote and mobile users to access corporate networks securely from any web-enabled device. Recently, an authentication bypass vulnerability has been identified in both Ivanti Connect Secure and Ivanti Policy Secure Gateways. This security flaw arises from insufficient validation of HTTP request paths within the software. Consequently, a remote attacker could potentially exploit this vulnerability by crafting a malicious HTTP request directed at the target server. If exploited successfully, this vulnerability could grant the attacker unauthenticated access to otherwise secure, authenticated web endpoints, posing a significant security risk to affected systems.

Product Versions Impacted

The list below concisely summarizes the Common Platform Enumeration (CPE) entries for Ivanti’s Connect Secure and Policy Secure products. It encompasses a range of versions and revisions, highlighting the extensive variety within the product lineup. The versions impacted are as follows:

  • Ivanti Connect Secure:
    • Version 9.0: Base, – , r1 – r6, r2.1, r3 – r3.5, r4 – r4.1, r5.0, r6.0
    • Version 9.1: r1, r10 – r11.5, r12 – r12.1, r13 – r13.1, r14, r15 – r15.2, r16 – r16.1, r17 – r17.1, r18, r2 – r4.3, r5 – r9.1
    • Version 22.1: r1, r6
    • Version 22.2: -, r1
    • Version 22.3: r1
    • Version 22.4: r1, r2.1
    • Version 22.5: r2.1
    • Version 22.6: -, r1, r2
  • Ivanti Policy Secure:
    • Version 9.0: Base, – , r1 – r4
    • Version 9.1: r1, r10 – r11, r12 – r13.1, r14, r15 – r16, r17 – r18, r2 – r4.2, r5 – r9.1
    • Version 22.1: r1, r6
    • Version 22.2: r1, r3
    • Version 22.3: r1, r3
    • Version 22.4: r1, r2, r2.1
    • Version 22.5: r1, r2.1
    • Version 22.6: r1

Each entry is formatted as “Version: Revision(s)”, where “-” indicates the base version and specific revisions are listed thereafter.

CVE Details

This security issue has been formally acknowledged and indexed in the Common Vulnerabilities and Exposures (CVE) system, explicitly identified as CVE-2023-46805 and CVE-2024-21887.

CVE-2023-46805 carries an overall CVSS score of 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), highlighting its high severity. The score’s detailed composition indicates the vulnerability’s attributes and potential repercussions. It has a network-based attack vector, meaning the vulnerability can be exploited remotely, and its attack complexity is low, suggesting minimal effort is required for exploitation. It necessitates no special privileges, increasing its potential reach, and it doesn’t require user interaction, enhancing its stealth and potential for unnoticed exploitation. Although the scope of the attack is unchanged, the vulnerability critically endangers data confidentiality, implying a significant risk of sensitive data exposure. However, its impact on data integrity is low, and it does not affect data availability, suggesting that unauthorized data disclosure is more likely than data alteration or service disruption.

Contrastingly, CVE-2024-21887 presents an even more critical threat, evidenced by its CVSS score of 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). While this vulnerability shares certain characteristics with CVE-2023-46805 — such as a network-based attack vector and low attack complexity — it differs notably in its requirement for high privileges, indicating it affects more protected or sensitive areas. Like its counterpart, it operates covertly without user interaction. However, this vulnerability’s scope is classified as changed, hinting at a broader, more systemic impact. Its high ratings across confidentiality, integrity and availability underscore its potential for extensive harm, allowing attackers not only to access and modify sensitive data but also to significantly disrupt dependent services or applications.

Technical Overview

An alarming authentication bypass vulnerability has been reported in Ivanti Connect Secure, attributed to superficial access checks on the unnormalized Request-URI in the web process. This flaw is notably present in Ivanti Connect Secure (versions 9.x, 22.x) and Ivanti Policy Secure, where a specifically crafted request with a Request-URI beginning with vulnerable paths such as “/api/v1/totp/user-backup-code/” or “/api/v1/cav/” can evade standard authentication protocols. This vulnerability arises due to the web process’s reliance on a vulnerable function that conducts basic string comparisons against predefined prefixes, allowing requests that match these paths to bypass authentication checks. The exploit hinges on manipulating the Request-URI, incorporating parent reference segments (e.g., “../”) to pivot to endpoints normally safeguarded by authentication. However, the exploit’s scope is somewhat contained due to session checks and the limited distribution of the REST API, restricting accessible endpoints to those managed by the receiving WSGI (Web Server Gateway Interface) process.

Further probing into the system’s architecture revealed a critical loophole in a custom web server developed in C++, integral to managing all incoming HTTPS requests and closely associated with Perl-based CGI scripts and the REST API. Situated within the system’s binary structure at ics_disk1/root/home/bin/web, this server serves not only as a gateway for HTTPS requests but also plays a pivotal role in the REST API’s functionality. Acting as a proxy, the server directs requests to the API as necessary, focusing heavily on authentication enforcement. However, the authentication mechanism is compromised by the server’s flawed URI processing method, which employs a strncmp function for path validation. This function’s limitation to checking only a set number of initial characters in the path creates a significant security gap. By crafting a path (see Figure 1) that initiates with a vulnerable endpoint and appending additional characters, attackers can navigate around the authentication, gaining unauthorized access to sensitive resources and functions within the system. This discovery underscores the urgency for a comprehensive overhaul of the security measures, particularly the methods for URI path validation and processing.

Figure 1: Example GET Request Path

Triggering the Vulnerability

The vulnerability in Ivanti Connect Secure related to authentication bypass can be triggered under certain conditions. Here are four key scenarios or factors that can lead to the exploitation of this vulnerability:

  • Unnormalized Request-URIs: The vulnerability is exploited by sending a request with a Request-URI that starts with specific paths and has not been normalized, allowing the attacker to circumvent the expected URL structure and access controls.
  • Prefix Matching in URL Paths: The web process performs shallow checks by comparing the raw Request-URI against a list of vulnerable prefixes. If the Request-URI matches one of the known vulnerable paths, such as “/api/v1/totp/user-backup-code/” or “/api/v1/cav/”, the request is allowed to pass through without proper authentication.
  • Use of Directory Traversal Techniques: The attacker can employ directory traversal techniques using “../” notation in the Request-URI. This allows the attacker to pivot from the allowed prefix to another endpoint that normally requires authentication, effectively bypassing the access control checks.
  • Limited Endpoint Scope Due to Distributed REST API: While the vulnerability allows pivoting to different endpoints, the scope of accessible endpoints is limited to those implemented by the receiving WSGI process. However, this still poses a significant risk as it exposes certain endpoints of the REST API to unauthenticated access.

Exploitation with CVE-2024-21887

Developed with Flask, a Python-based, lightweight, and flexible web framework, a Flask application simplifies starting and scales up to complex commercial sites, providing an array of tools, libraries, and technologies. Despite its benefits, Flask applications can exhibit vulnerabilities, such as the command injection flaw in the License class of restservice/api/resources/license.py which manages requests for the /api/v1/license/keys-status endpoint. This vulnerability arises from the get method’s improper concatenation of command strings, especially when handling the node_name parameter, enabling attackers to execute arbitrary commands via subprocess.Popen.

Leveraging Flask’s automatic mapping of URL endpoints to function parameters, attackers can send crafted GET requests to redirect to vulnerable endpoints with command injection payloads, with URL encoding complicating the attack by allowing the transmission of intricate payloads. Although these vulnerabilities present substantial security risks, it is notable that vendor-supplied mitigations effectively counteract these exploits. Notably, this vulnerability allows attackers to achieve unauthenticated command injection by sending a GET request to the following URI path where CMD is any arbitrary Linux OS (Operating System) command, presenting a significant security concern.

Figure 2: URI path

Figure 3: Python Source Code for Arbitrary Linux OS Reverse Shell

Given the scenario of exploiting a command injection vulnerability (Figure 5) at the endpoint seen in Figure 4.

Figure 4: Endpoint

Figure 5: Reverse Shell URI Path

This one-liner Python command (Figure 5) is crafted to establish a reverse shell from the target server to the attacker’s machine. This command, when appended to the vulnerable endpoint, would be executed on the server due to the vulnerability. The Python script, starting with a semicolon to signify the end of a previous command, is a compact and potent snippet designed to create a socket connection back to the attacker’s machine (at IP address 192.168.2.200 and port 5555).

Once the connection is established, it spawns a shell and redirects the shell’s standard input, output and error streams to the socket, effectively tying the shell to the attacker’s console.

This provides the attacker with interactive control over the shell on the target machine. However, for this command to be successfully processed and interpreted by the web server and not get blocked by URL parsing mechanisms, it must be URL-encoded before being sent in the GET request to the vulnerable endpoint. URL encoding transforms potentially unsafe ASCII characters into a format that can be transmitted over the internet, ensuring the payload is delivered intact to the server for execution

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

  • IPS:4234 Ivanti Connect Secure Authentication Bypass
  • IPS:19611 Ivanti Connect Secure Command Injection 1
  • IPS:19612 Ivanti Connect Secure Command Injection 2

Remediation Recommendations

The risks posed by this vulnerability can be mitigated or eliminated by:

  • Applying the vendor-supplied patch to eliminate this vulnerability.
  • Utilizing up to date IPS signatures to filter network traffic.
  • Configure the vulnerable product to allow access to trusted clients only.

Relevant Links

Vendor Advisory

NIST NVD CVE

Packetstrom Security

CWE-287

Related KB Article

NIST CVSS Calculator Score

Python Reverse Shells

Step Up Your Security with SonicOS 7.1.1

/0 Comments/in /by

With the modern threat landscape growing more complex by the day, it’s imperative for organizations to spend their money on solutions that work—not just against the threats of today, but also to meet the challenges of tomorrow.

That’s why SonicWall is continuously improving its products and services, most recently with enhancements to our operating system. SonicOS 7 is at the core of all SonicWall next-generation firewalls (NGFWs), from the TZ Series to the NSsp Series — and these improvements are designed to offer the same trusted security while also integrating seamlessly with other platforms.

Here are some of the security advancements introduced with SonicOS 7.1.1:

Superior Threat Protection:

  • New CFS 5.0 engine ​
  • Advanced DNS filtering​
  • Virtual TPM​
  • Shell Revocation​
  • Tamper-Free Filesystem​
  • Hardened OS with newtoolchain
  • Improved console application​
  • Maintenance key for bothvirtual and hardware firewalls.

Use Cases and Business Requirements:

Features Use Cases Business Outcome
NAC integration, offering synergy between SonicWall and Aruba solutions and providing health posture telemetry Need to apply enhanced user and device context (including role, device health and more) to NGFW rules and policies for protection against unsanctioned traffic

Need to protect users on the network from threats like malware, exploits and phishing

Need to enable closed-loop attack detection via next-generation firewall and policy-based response with ClearPass

Need to block unauthorized users and devices by implementing a single policy of authorization and enforcement for users and IoT devices across wired and wireless networks, up to the application level

 Enable enterprises and educational segments to integrate with their Aruba solutions and get more value on Gen7 with health posture
DNS security that enables blocking websites at the DNS layer without enabling TLS/SSL decryption Block bad websites at the DNS layer without enabling TLS decryption and adding more hits to performance

MSP – Enables DNS protection to help customers avoid malicious domains

ISP – Protects ISPs from DoS and DDoS attacks

Enterprises – Offers a faster way to protect users while not affecting end user performance

K-12 – Provides safe browsing experiences for students and staff and keeps control of what domains they are accessing

Government – Keeps the systems away from malware and bad actors

 Delivers enterprise-level security to motivate customers to transition to Gen7 seamlessly
Stronger content filtering solution with additional categories and reputation-based filtering​ Web filtering gateways need to be told which websites are malicious or undesirable

Users could take a series of static lists of known bad URLs and IPs and join them together to try to block malicious websites. However, static lists can’t keep up with websites and IPs whose status switches from benign to malicious and back very quickly

 Improved content filtering capabilities for Gen7, resulting in fewer inaccurately rated websites/URLs
Security improvements, virtual TPM and enhanced security Users need both the OS and underlying kernel to be secure Provides additional layer of security with improved performance

While there are many use cases for each of these enhancements, here’s a closer look at just a few:

DNS Filtering:

DNS filtering – sometimes called advanced DNS Security – is the process of using the Domain Name System to block malicious websites and block risky and/or inappropriate content. This helps ensure that the organization’s data remains secure and allows them to have control over what their employees and contractors can access within and outside their network.

Let’s consider a case where an employee receives a phishing email and is tricked into clicking a malicious website link. Before the employee’s system loads the website, it sends a query to the network’s DNS resolving service, which uses DNS filtering rules. If that malicious website is on the blocklist, the DNS resolver will block the request, preventing the bad website from loading and foiling the phishing attack.

CFS 5.0:

CFS 5.0 is the latest content filtering technology for SonicOS 7.1.1. It introduces reputation-based content filtering, which filters URLs by reputation and blocks certain URLs based on what the URL is known for. Reputation-based filtering allows users to visit “safe” websites that don’t pose a security risk to users or the organization while safeguarding against those that could pose a danger.

Key changes for CFS 5.0 include:

  • Web category extension (64 to 93)​
  • Reputation-based filtering
  • UI enhancements​ for a better user experience
  • Performance improvements in the backend

NAC Integration with Aruba ClearPass:

SonicOS 7.1.1 provides restful threat API to support the integration of Aruba ClearPass with SonicWall NGFWs. ​

With integrated Network Access Control (NAC), ClearPass can pass security context vectors including source-ip, source-mac, user-id, user-role, domain, device-category, device-family, device-name, os-type, hostname and health-posture to SonicWall solutions to build policies for mitigation actions. ​

This architecture will turn static security into contextual security, providing relevant details about what is traversing across the network/environment.

Virtual TPM and underlying Kernel Security Enhancements:

With the Virtual Trusted Platform Module (vTPM) feature, users can add a TPM 2.0 virtual crypto processor to a virtual machine. A vTPM is a software-based representation of a physical Trusted Platform Module 2.0 chip. A vTPM acts as any other virtual device, helping to secure virtual machines including the SonicWall NSv Series NGFWs.

Secure with Confidence

These are just a few of the security-enhancing benefits that come with running SonicOS 7.1.1. With this update, you get all of these new features alongside Capture Advanced Threat Protection and our patented Real-Time Deep Memory Inspection (RTDMI™). SonicOS 7.1.1 provides peace of mind and confidence in your network security that you won’t get everywhere else — all at a value you can’t get anywhere else.

For a more detailed breakdown, check out our SonicOS 7.1.1 datasheet.

GitLab Account Takeover

/0 Comments/in /by

Overview

The SonicWall Capture Labs threat research team became aware of an account takeover via password reset vulnerability in GitLab, assessed its impact and developed mitigation measures for the vulnerability. GitLab, an open-source code-sharing platform, published an advisory on this vulnerability affecting GitLab CE/EE versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2. Considering the substantial user base as well as the existence of public POC, not only it is expected to be exploited in the wild, but it will also presumably join CISA’s Known Exploited Vulnerabilities (KEV) catalog. Because of this, GitLab users are strongly encouraged to upgrade their instances to the latest versions as applicable.

CVE Details

This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2023-7028.

The CVSS score is 10.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), based on the following metrics:
• Attack vector is network.
• Attack complexity is low.
• Privileges required is none.
• User interaction is none.
• Scope is changed.
• Impact of this vulnerability on data confidentiality is high.
• Impact of this vulnerability on data integrity is high.
• Impact of this vulnerability on data availability is high.

Technical Overview

This vulnerability was introduced in version 16.1.0 when the enhancement in the password reset function was made that enabled users to reset their password using a secondary email address. The flaw in the implementation of this process lets the threat actors abuse the password reset functionality and deceive the application into sending the reset link to the attacker-controlled email address by leveraging the parameter pollution technique.

To remediate the issue, new versions are being released with a patch (as seen in the commit) that enforces the password reset instructions to be sent to the users’ secondary email only if it’s confirmed, unlike previous versions. The password reset page of the patched version of GitLab reflects the same message as well, as seen in Figure 1.

Figure 1: Reset password instructions in vulnerable vs patched version

Triggering the Vulnerability

The only prerequisite for this attack is that the threat actor knows the victim’s email address. Combine that with the low attack complexity, and that makes exploitation of this vulnerability very straightforward. Additionally, the attackers can make use of ‘admin@example.com’, which is the default registered email address for the user ‘root’, to gain the highest privilege available – provided the user has not deleted the pre-registered email. The attacker then needs to construct the post request using the legitimate email address of the victim and their own email address to receive a password reset link. The sample URL-decoded request data would look like this:

Figure 2: Sample URL

Exploitation

The malformed password reset request, as demonstrated in Figure 3, needs to be sent to acquire the password-reset link of the victim account to the attacker-controlled unverified mailbox which yields an attacker access to the victim account by resetting the password.

Figure 3: Sample attack request

Two-factor authentication (2FA) can lessen the risk to an extent by denying the threat actor account access, but the underlying risk of the password being reset by an unauthorized user will still be present.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signature has been released:

  • IPS:4229 GitLab Password Reset Attempt Using Multiple Email IDs
  • IPS:4231 GitLab Password Reset Attempt Using Multiple Email IDs 2

Indicators of Compromise (IOC)

As mentioned in the vendor advisory, the users can access the following logs to check the potential attempts to exploit this vulnerability:

  • Check gitlab-rails/production_json.log for HTTP requests to the /users/password path with value.email consisting of a JSON array with multiple email addresses as shown in below sample:{“method”:”POST”,”path”:”/users/password”,”format”:”html”,”controller”:”PasswordsController”,”action”:”create”,”status”:302,”location”:”http://gitlab.sw.local/users/sign_in”,”time”:”2024-01-16T09:53:16.121Z”,”params”:[{“key”:”authenticity_token”,”value”:”[FILTERED]”},{“key”:”user”,”value”:{“email”:[“victim@example.com”,”attacker@example.com”]}}],”correlation_id”:”08V0ZKAEAF9Q8QQ6X867DFS”,<truncated…>}
  • Whereas normally a sample log for the legitimate request would look like: {“method”:”POST”,”path”:”/users/password”,”format”:”html”,”controller”:”PasswordsController”,”action”:”create”,”status”:302,”location”:” http://gitlab.sw.local/users/sign_in”,”time”:”2024-01-17T14:25:38.840Z”,”params”:[{“key”:”authenticity_token”,”value”:”[FILTERED]”},{“key”:”user”,”value”:{“email”:”user@example.com”}}],”correlation_id”:”01X0ECS3P6ZEF55YRA7XNNH”,<truncated…>}
  • Check gitlab-rails/audit_json.log for entries with caller_id of PasswordsController#create and target_details consisting of a JSON array with multiple email addresses.

Remediation Recommendations

  • Enable Two-Factor Authentication (2FA), a silver bullet to deny unauthorized access, for all accounts.
  • GitLab released an update to address the issue, and it is highly recommended to update the application to version 16.7.2, 16.6.4, 16.5.6 or newer as appropriate. Notably, since this security fix has been backported to versions 16.1.6, 16.2.9, 16.3.7 and 16.4.5, the users can choose to update the application to those versions as well.

Relevant Links

Dangerous New Diavol Ransomware

/0 Comments/in /by

Overview

The SonicWall Capture Labs threat research team has recently observed a new variant of Diavol ransomware.  The ransomware executes its malicious activities by utilizing bitmap objects containing binary code and paired JPEG objects containing the DLL names and associated API strings.

Infection Cycle

When beginning execution, the ransomware checks for the presence of a DWORD value from its .SHARDAT section. If the identified DWORD value is determined to be zero, the ransomware proceeds with its malicious operations. The ransomware increments the aforementioned DWORD value to one, indicating the start of its activity.

Conversely, if the DWORD value is already set to one, the ransomware promptly terminates its execution without initiating any malicious operations.

This method allows the ransomware to execute only once on the system.

Figure 1: DWORD values check

Using VirtualAlloc API, it allocates two memory buffers with read, write and execute (RWX) permissions with the intention of subsequently loading shellcode into these allocated memory regions. Next, it checks for any command line parameters that are passed to the executable.

It supports the parameters below:

  • “-p”:      Path to a file containing files/directories to be encrypted
  • “-h”:      Path to a file containing remote files/directories
  • “-m”:     Mode
  • local:     Encrypts local drives
  • net:       Encrypts network drives
  • scan:     Scan and encrypts network shares
  • all:         Encrypts local and network drives
  • -log”:     Path to a log file

Even if there are no arguments passed, it is still able to successfully encrypt the files locally. Next, it calls time64 to get the current time on the system and uses it as the seed for the srand function to initialize the pseudo-random number generator.

Figure 2: srand function

The ransomware hides its different tasks that are to be performed in bitmaps, which are kept in the PE resource section. Before it runs each task, it copies the binary code from the bitmap to a memory buffer allocated earlier. The imports used by each task are also stored in the resource section under “JPEG” with the same names as the bitmaps.

Figure 3: Resource section containing bitmap objects

The ransomware uses the GENBOTID routine to create a unique identifier for the victim’s system. It calls LoadBitmapW, CreateCompatibleDC, SelectObject and GetObjectW. After that, it calls GetDIBits to retrieve the bits of the bitmap image and copy them into the memory buffer as a DIB.

Figure 4: GENBOTID’s bitmap Image and its corresponding binary view

Once the binary code of the GENBOTID bitmap is loaded into the memory, it loads the corresponding name resource file into memory using the FindResource and LoadResource APIs.

Figure 5: GENBOTID’s resource section

The resource file contains the names of the DLLs and the APIs that are to be used in the routine. This helps the ransomware avoid walking the PEB structure to resolve its imports dynamically. It manually calls the LoadLibrary and GetProcAddress APIs which are present in the resource file, and the resolved API addresses are stored at the end of the buffer. It generates the bot id in the format below:

<computer_name> + <username> + “_W” + <OS version in hex> + “.” + <random_GUID_bytes in hex>

Figure 6: BotID

It then builds the content of the POST request as seen below:

cid=<bot_ID>&group=<group_ID>&ip_local1=111.111.111.111&ip_local2=222.222.222.222&ip_external=2.16.7.12.

Figure 7: POST request

It has a hardcoded list of the service names to be stopped from running on the victim’s system.

Figure 8

List of Service names:

 [DefWatch”, “ccEvtMgr”, “ccSetMgr”, “SavRoam”, “dbsrv12”, “sqlservr”, “sqlagent”, “Intuit.QuickBooks.FCS”, “dbeng8”, “QBIDPService”, “Culserver”, “RTVscan”, “vmware-usbarbitator64”, “vmware-converter”, “VMAuthdService”, “VMnetDHCP”, “VMUSBArbService”, “VMwareHostd”, “SQLADHLP”, “msmdsrv”, “tomcat6”, “QBCFMonitorService”, “Acronis VSS Provider”, “SQL Backups”, “SQLsafe Backup Service”, “SQLsafe Filter Service”, “Symantec System Recovery”, “Veeam Backup Catalog Data Service”, “Zoolz 2 Service”, “AcrSch2Svc”, “ARSM”, “BackupExecAgentAccelerator”, “BackupExecAgentBrowser”, “BackupExecDeviceMediaService”, “BackupExecJobEngine”, “BackupExecManagementService”, “BackupExecRPCService”, “BackupExecVSSProvider”, “bedbg”, “MMS”, “mozyprobackup”, “ntrtscan”, “PDVFSService”, “SDRSVC”, “SNAC”, “SQLWriter”, “VeeamBackupSvc”, “VeeamBrokerSvc”, “VeeamCatalogSvc”, “VeeamCloudSvc”, “VeeamDeploymentService”, “VeeamDeploySvc”, “VeeamEnterpriseManagerSvc”, “VeeamHvIntegrationSvc”, “VeeamMountSvc”, “VeeamNFSSvc”, “VeeamRESTSvc”, “VeeamTransportSvc”, “sms_site_sql_backup”, “MsDtsServer”, “MsDtsServer100”, “MsDtsServer110”, “msftesql$PROD”, “MSOLAP$SQL_2008”, “MSOLAP$SYSTEM_BGC”, “MSOLAP$TPS”, “MSOLAP$TPSAMA”, “MSSQL$BKUPEXEC”, “MSSQL$ECWDB2”, “MSSQL$PRACTICEMGT”, “MSSQL$PRACTTICEBGC”, “MSSQL$PROD”, “MSSQL$PROFXENGAGEMENT”, “MSSQL$SBSMONITORING”, “MSSQL$SHAREPOINT”, “MSSQL$SQL_2008”, “MSSQL$SQLEXPRESS”, “MSSQL$SYSTEM_BGC”, “MSSQL$TPS”, “MSSQL$TPSAMA”, “MSSQL$VEEAMSQL2008R2”, “MSSQL$VEEAMSQL2012”, “MSSQLFDLauncher”, “MSSQLFDLauncher$PROFXENGAGEMENT”, “MSSQLFDLauncher$SBSMONITORING”, “MSSQLFDLauncher$SHAREPOINT”, “MSSQLFDLauncher$SQL_2008”, “MSSQLFDLauncher$SYSTEM_BGC”, “MSSQLFDLauncher$TPS”, “MSSQLFDLauncher$TPSAMA”, “MSSQLSERVER”, “MSSQLServerADHelper”, “MSSQLServerADHelper100”, “MSSQLServerOLAPService”, “MySQL57”, “MySQL80”, “OracleClientCache80”, “ReportServer$SQL_2008”, “RESvc”, “SQLAgent$BKUPEXEC”, “SQLAgent$CITRIX_METAFRAME”, “SQLAgent$CXDB”, “SQLAgent$ECWDB2”, “SQLAgent$PRACTTICEBGC”, “SQLAgent$PRACTTICEMGT”, “SQLAgent$PROD”, “SQLAgent$PROFXENGAGEMENT”, “SQLAgent$SBSMONITORING”, “SQLAgent$SHAREPOINT”, “SQLAgent$SQL_2008”, “SQLAgent$SQLEXPRESS”, “SQLAgent$SYSTEM_BGC”, “SQLAgent$TPS”, “SQLAgent$TPSAMA”, “SQLAgent$VEEAMSQL2008R2”, “SQLAgent$VEEAMSQL2012”, “SQLBrowser”, “SQLSafeOLRService”, “SQLSERVERAGENT”, “SQLTELEMETRY”, “SQLTELEMETRY$ECWDB2”, “mssql$vim_sqlexp”, “IISAdmin”, “NetMsmqActivator”, “POP3Svc”, “SstpSvc”, “UI0Detect”, “W3Svc”, “aphidmonitorservice”, “intel(r) proset monitoring service”, “unistoresvc_1af40a”, “audioendpointbuilder”, “MSExchangeES”, “MSExchangeIS”, “MSExchangeMGMT”, “MSExchangeMTA”, “MSExchangeSA”, “MSExchangeSRS”, “msexchangeadtopology”, “msexchangeimap4”, “Sophos Agent”, “Sophos AutoUpdate Service”, “Sophos Clean Service”, “Sophos Device Control Service”, “Sophos File Scanner Service”, “Sophos Health Service”, “Sophos MCS Agent”, “Sophos MCS Client”, “Sophos Message Router”, “Sophos Safestore Service”, “Sophos System Protection Service”, “Sophos Web Control Service”, “AcronisAgent”, “Antivirus”, “AVP”, “DCAgent”, “EhttpSrv”, “ekrn”, “EPSecurityService”, “EPUpdateService”, “EsgShKernel”, “ESHASRV”, “FA_Scheduler”, “IMAP4Svc”, “KAVFS”, “KAVFSGT”, “kavfsslp”, “klnagent”, “macmnsvc”, “masvc”, “MBAMService”, “MBEndpointAgent”, “McAfeeEngineService”, “McAfeeFramework”, “McAfeeFrameworkMcAfeeFramework”, “McShield”, “McTaskManager”, “mfefire”, “mfemms”, “mfevtp”, “MSSQL$SOPHOS”, “sacsvr”, “SAVAdminService”, “SAVService”, “SepMasterService”, “ShMonitor”, “Smcinst”, “SmcService”, “SntpService”, “sophossps”, “SQLAgent$SOPHsvcGenericHost”, “swi_filter”, “swi_service”, “swi_update”, “swi_update_64”, “TmCCSF”, “tmlisten”, “TrueKey”, “TrueKeyScheduler”, “TrueKeyServiceHelWRSVC”, “vapiendpoint”]

 

Similar to the services name list, it also has a list of processes to be terminated if found running on the system.

Process name list:

[“iexplore.exe”, “msedge.exe”, “chrome.exe”, “opera.exe”, “firefox.exe”, “savfmsesp.exe”, “zoolz.exe”, “firefoxconfig.exe”, “tbirdconfig.exe”, “thunderbird.exe”, “agntsvc.exe”, “dbeng50.exe”, “dbsnmp.exe”, “isqlplussvc.exe”, “msaccess.exe”, “msftesql.exe”, “mydesktopqos.exe”, “mydesktopservice.exe”, “mysqld-nt.exe”, “mysqld-opt.exe”, “mysqld.exe”, “ocautoupds.exe”, “ocssd.exe”, “oracle.exe”, “sqlagent.exe”, “synctime.exe”, “thebat.exe”, “thebat64.exe”, “encsvc.exe”, “ocomm.exe”, “xfssvccon.exe”, “excel.exe”, “infopath.exe”, “mspub.exe”, “onenote.exe”, “outlook.exe”, “powerpnt.exe”, “visio.exe”, “wordpad.exe”, “CNTAoSMgr.exe”, “mbamtray.exe”, “NtrtscPccNTMon.exe”, “tmlisten.exe”, “sqlmangr.exe”, “RAgui.exe”, “QBCFMonitorService.exe”, “supervise.exe”, “fdhost.exe”, “Culture.exe”, “RTVscan.exe”, “Defwatch.exe”, “wxServerView.exe”, “GDscan.exe”, “QBW32.exe”, “QBDBMgr.exe”, “qbupdate.exe”, “axlbridge.exe”, “360se.exe”, “360doctor.exe”, “QBIDPService.exe”, “wxServer.exe”, “httpd.exe”, “fdlauncher.exe”, “MsDtSrvr.exe”, “tomcat6.exe”, “java.exe”, “wdswfsafe.exe”]

For enumerating the disk, it uses GetLogicalDriveStringsW to get the list of all drives on the system. The drive letters are then converted into lowercase, and only those drives that are DRIVE_REMOTE or DRIVE_FIXED are processed.

Figure 9: Checking drive type

It also checks whether the drives are present in the exclusion list. The default list of the path is:

*.exe,*.sys,*.dll,*.lock64,*readme_for_decrypt,*locker.txt,*unlocker.txt,%WINDIR%\,%PROGRAMFILES%\,%PROGRAMW6432%\,*\Microsoft\,*\Windows\,*\Program Files*\,%TEMP%\.

Figure 10: Checking for the exclusion path

The encrypted files names are appended with a .lock64 extension and the file README_FOR_DECRYPT.txt is created in that directory.

Figure 11

Figure 12: Ransomware note

 

It also changes the wallpaper.

Figure 13: Ransomware wallpaper

 

Once the process is completed, it deletes itself.

Figure 14: Command for self-deletion

 

SonicWall Protections:

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: DiavolCrypt.RSM (Trojan)

Infostealer Trojan with Remote Access and Ransomware Capabilities Seen in the Wild

/in /by

This week, the Sonicwall Capture Labs threat research team analyzed a full-featured infostealer and remote access trojan that also has ransomware functionality built in. This trojan is capable of terminating applications, logging keystrokes, opening web pages, connecting to a remote host, executing DDoS attacks and encrypting the victim’s data.

Infection Cycle:

The malware arrives as a portable executable using the following file name and icon:


Figure 1: Filename and icon used by the trojan

Upon execution, it creates a copy of itself in the temp directory named csrss.exe. It then spawns the legitimate Windows Task Scheduler and runs an schtasks command to ensure that this copy runs itself periodically.


Figure 2: Scheduled task added

It also adds a run key in the HKU hive:

  • HKU\Software\Microsoft\Windows\CurrentVersion\Run csrss %temp%\csrss.exe

During runtime, it intermittently connects to a remote host.


Figure 3: Malware seen connecting to a remote host

It also creates a log file in the user’s temp directory, which appears to be keystrokes of websites visited and processes executed.


Figure 4: Log file with all the keystrokes logged during runtime

Upon further analysis, this trojan appears to be capable of encrypting files using AES encryption using the RijndaelManaged class.


Figure 5: AES encryption function inside this trojan

It also has the ability to open and close arbitrary web pages, shutdown, logoff, or restart the machine, run PowerShell commands, and start a DDoS attack.


Figure 6: All the other malicious functionalities available within this trojan

This trojan also has the ability to capture screenshots of the victim’s machine.


Figure 7: Screen capturing functionality within the trojan

SonicWall Protections:

SonicWall Capture Labs provides protection against this threat via the following signature:
GAV: Malagent.XCL(Trojan)

This threat is also detected by SonicWall Capture ATP with RTDMI and Capture Client endpoint solutions.

DNS Filtering: Enhancing Online Security with SonicWall

/0 Comments/in /by

With the internet now an integral part of our lives, ensuring a safe and secure online experience has never been more crucial. But as cyber threats continuously evolve and hackers grow more sophisticated, traditional security measures may no longer suffice. This is where DNS filtering, powered by SonicWall, both emerges as the first line of defense and interlocks with your firewall protection.

As part of the recent SonicOS 7.1 feature release, which focused on increasing threat protection, SonicWall introduced more advanced DNS filtering capabilities than were seen in previous generations. In the past, DNS security was limited to DNS Tunnel Detection and DNS Sinkholes. With the release of SonicOS 7.1, DNS filtering inspects DNS traffic in real time and provides the ability to block threats before they can reach your network.   

The Significance of DNS Filtering

Layers of defense are necessary to safeguard critical business assets and information. DNS filtering acts as a robust shield against cyber threats by leveraging SonicWall’s advanced algorithms and real-time updates, which ensure that the latest threats are promptly identified and blocked. The deep packet inspection capabilities in SonicWall NGFWs discovers hidden threats in the headers and contents of data packets, while DNS filtering prevents users from reaching dangerous or unproductive sites and applications.

By accurately separating the harmless from the malicious, our solution fortifies your network, allowing your business to flourish without disruptions caused by cyber threats. Here are the three key ways DNS filtering accomplishes this:

Safeguarding Against Malicious Websites

The number of websites online today is mind-boggling — and some pose serious risks to unsuspecting users. These websites harbor malware, phishing scams and other threats. DNS filtering acts as a critical shield, intercepting users’ DNS requests and cross-referencing them against a database of known malicious domains. By doing so, it effectively blocks users from accessing these suspicious websites, thus securing them from potential harm.

With DNS filtering, you can:

  • Prevent inadvertent encounters with malicious websites
  • Mitigate identity theft, financial loss, and the compromise of sensitive information
  • Proactively block access to known malicious domains, reducing the risk of malware infections and other cyberattacks

Filtering Inappropriate Content

Apart from protecting against malicious websites, DNS filtering also serves as an effective means of filtering out inappropriate content. This aspect is particularly essential for those charged with safeguarding children and maintaining a safe online environment. DNS filtering empowers schools, parents and other guardians to establish filters that restrict access to adult content, violence and other unsuitable material. This feature provides peace of mind and cultivates a more nurturing online experience for kids and teens.

With DNS filtering, you can:

  • Gain an additional layer of protection by blocking access to websites hosting explicit content, violence, or objectionable material
  • Personalize filters to align with a specific set of needs or values, ensuring children are shielded from inappropriate content while ensuring access to age-appropriate materials relevant to coursework

Enhancing Network Performance

Another advantage of DNS filtering is its positive impact on network performance. By blocking access to unnecessary or undesirable websites, it reduces bandwidth consumption and optimizes internet speeds. This proves particularly beneficial in corporate environments, where unknowingly accessing sites can jeopardize network performance and security.

DNS filtering guarantees that only necessary and trusted websites are accessible, promoting a more efficient utilization of network resources.

With DNS filtering, you can:

  • Prevent access to websites that consume excessive bandwidth or pose security risks
  • Maximize internet speeds for critical tasks and applications

In conclusion, DNS filtering, supported by robust SonicWall capabilities, plays a vital role in maintaining a secure and productive online environment. By safeguarding against malicious websites, filtering inappropriate content and improving network performance, DNS filtering offers immense benefits to both individuals and organizations. In an era where cyber threats continue to grow in sophistication, DNS filtering offers a proactive way to combat potential risks.

Take Action Now: Deploy DNS Filtering Service

Don’t let cyber threats hinder your business potential. Secure your online journey today with our DNS Filtering Service, backed by the top-notch protection and unparalleled ease of use SonicWall is known for.

Are you ready to join countless satisfied businesses who have already elevated their security to the next level? Contact us to find out more.

Details Matter: Why Threat Headlines Shouldn’t Direct Your Strategy

/0 Comments/in , /by

Originally published in the December 2023 issue of Cyber Defense Magazine.

As Ferris Bueller once said, “Life moves pretty fast.” Most people, especially cybersecurity professionals, know the feeling. Minutes — sometimes seconds — matter in dealing with cybersecurity incidents. But how do you slow down time? What makes it so difficult to stay current or to prioritize what is on today’s agenda for a security operations center? It’s all in the minor details.

Parents can often recognize this instinctively. If your son or daughter wakes up one morning and you ask them, “How did you get home last night?” And they respond with, “I hitched a ride with a complete stranger,” a protective parent may gasp with surprise and concern. However, if the response has more details such as, “I took an Uber at 3 a.m. from my friend’s house, because I wanted to get home safely,” the same protective parent could react differently and prioritize the conversation accordingly.

On October 3, Daniel Stenberg posted on X about a new “High” vulnerability in the curl ecosystem that would be publicly disclosed on October 11.  Due to the popularity of both curl and Daniel’s social media influence, the cybersecurity world exploded with anticipation of a highly impactful and severe security issue; however, the post provided very few details about the actual issue.

The Windup

Daniel’s initial post on X sparked many questions, some of which people were not afraid to ask on X.

Phrases such as “likely to go full meltdown” and “worst security problem found in curl in a long time,” coupled with a resistance to provide any additional details, sent media outlets and security experts writing articles about how this vulnerability would be the next big security concern for the computing world. (It’s also important to note the context around the term “High” in regards to the National Vulnerability Database (NVD). From a standard scoring perspective, a “High” vulnerability has a CVSS score of 7.0-8.9.)

This is important, since there is a precedent that “meltdown”-level vulnerabilities are typically 9.0 or above — hence the “Critical” rating.  This means there is a potential conflict in the minor details, but in our culture, often the mismatch will be ignored for a more severe outcome.

The Details

On October 11, as promised, the details of the vulnerability were made public and the world was set on fire, but in a different manner than one may have expected.

It’s important to take a moment to acknowledge the main lesson learned from the release is the absolute professionalism and care Daniel Stenberg took in addressing this issue. If every vendor and open-source project followed his example, we would, without question, have a more secure technology world. A vulnerability was discovered and reported by a security researcher on a highly impactful platform, and it was patched in a timely manner with full transparency on the issues and how it was addressed. All before, to the best of the community’s knowledge, any active exploitation had occurred. More simply put — the process worked flawlessly.

What did the release say?

In nutshell, the published details revealed a memory corruption vulnerability in a large number of installed versions of both curl and libcurl. That exploitation required a special set of conditions to be true. Instead of the main conversation being about the technical details of the vulnerability, a conversation about the hype that surrounded the vulnerability took center stage.  Why? While it was clearly stated in the initial messaging the issue was a “High” severity bug, the extreme language provided a false sense of a critical issue.

At the time of this writing, NVD hadn’t published a CVSS score indicating an official “High” vs. “Critical” rating.  Some researchers have taken the details and predicted a score which has varied from a 7.5 to an 8.8 rating, both of which are high ratings. Therefore, the details surrounding the exploitation requirement of the vulnerability indeed confirmed a “High” level vulnerability and not a critical vulnerability. However, these details were originally left to the imagination of the reader.

The Impact of Change

If the vulnerability is patched and the disclosure information is accurate, does it matter? The problem with overhype is it often causes a reaction or change in prioritization. Cybersecurity is already overwhelmed with events and starving for resources to address them. This dictates that prioritization of actions is the most important task for any organization: What issues are the highest risk right now and how do I address them? While sometimes the cost of change is minimal, at other times it’s a cost that can’t be afforded.

It is imperative that security researchers continue to responsibly disclose vulnerabilities to closed and open-source projects. Transparency of these vulnerabilities, along with patches (as well done by curl project), is the only way for defenders to have the necessary information required to defend our ever-growing technology stack. It is also our responsibility to keep a factual, data-driven, non-emotional response to these events; to focus on the details; and to work together to responsibly use the resources we have at our disposal.

So, the next time “life comes at you pretty fast,” it pays dividends to “stop and look around once in a while.” It helps in making sure your team focuses your resources and efforts on the most critical and urgent issues that pose the greatest threat to your organization by paying attention to the minor details.

Microsoft Security Bulletin Coverage for January 2024

/in /by

Overview

Microsoft’s January 2024 Patch Tuesday has 48 vulnerabilities, 11 of which are Remote Code Execution. The vulnerabilities can be classified into the following categories:

  • 11 Remote Code Execution Vulnerabilities
  • 11 Information Disclosure Vulnerabilities
  • 10 Elevation of Privilege Vulnerabilities
  • 6 Denial of Service Vulnerabilities
  • 7 Security Feature Bypass Vulnerabilities
  • 3 Spoofing Vulnerabilities

Figure 1: Vulnerabilities by category

SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of January 2024 and has produced coverage for 5 of the reported vulnerabilities.

Vulnerabilities with Detections

CVE-2024-20653     Microsoft Common Log File System Elevation of Privilege Vulnerability

  • ASPY 523 Exploit-exe exe.MP_362

CVE-2024-20683     Win32k Elevation of Privilege Vulnerability

  • ASPY 524 Exploit-exe exe.MP_363

CVE-2024-20698     Windows Kernel Elevation of Privilege Vulnerability

  • ASPY 525 Exploit-exe exe.MP_364

CVE-2024-21307     Remote Desktop Client Remote Code Execution Vulnerability

  • ASPY 521 Exploit-exe exe.MP_360

CVE-2024-21310     Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

  • ASPY 522 Exploit-exe exe.MP_361

Remote Code Execution Vulnerabilities

CVE-2024-20654     Microsoft ODBC Driver Remote Code Execution Vulnerability

CVE-2024-20655     Microsoft Online Certificate Status Protocol (OCSP) Remote Code Execution Vulnerability

CVE-2024-20676     Azure Storage Mover Remote Code Execution Vulnerability

CVE-2024-20677     Microsoft Office Remote Code Execution Vulnerability

CVE-2024-20682     Windows Cryptographic Services Remote Code Execution Vulnerability

CVE-2024-20696     Windows Libarchive Remote Code Execution Vulnerability

CVE-2024-20697     Windows Libarchive Remote Code Execution Vulnerability

CVE-2024-20700     Windows Hyper-V Remote Code Execution Vulnerability

CVE-2024-21307     Remote Desktop Client Remote Code Execution Vulnerability

CVE-2024-21318     Microsoft SharePoint Server Remote Code Execution Vulnerability

CVE-2024-21325     Microsoft Printer Metadata Troubleshooter Tool Remote Code Execution Vulnerability

Elevation of Privilege Vulnerabilities

CVE-2024-20653     Microsoft Common Log File System Elevation of Privilege Vulnerability

CVE-2024-20656     Visual Studio Elevation of Privilege Vulnerability

CVE-2024-20657     Windows Group Policy Elevation of Privilege Vulnerability

CVE-2024-20658     Microsoft Virtual Hard Disk Elevation of Privilege Vulnerability

CVE-2024-20681     Windows Subsystem for Linux Elevation of Privilege Vulnerability

CVE-2024-20683     Win32k Elevation of Privilege Vulnerability

CVE-2024-20686     Win32k Elevation of Privilege Vulnerability

CVE-2024-20698     Windows Kernel Elevation of Privilege Vulnerability

CVE-2024-21309     Windows Kernel-Mode Driver Elevation of Privilege Vulnerability

CVE-2024-21310     Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability

Denial of Service Vulnerabilities

CVE-2024-20661     Microsoft Message Queuing Denial of Service Vulnerability

CVE-2024-20672     .NET Core and Visual Studio Denial of Service Vulnerability

CVE-2024-20687     Microsoft AllJoyn API Denial of Service Vulnerability

CVE-2024-20699     Windows Hyper-V Denial of Service Vulnerability

CVE-2024-21312     .NET Framework Denial of Service Vulnerability

CVE-2024-21319     Microsoft Identity Denial of Service vulnerability

Information Disclosure Vulnerabilities

CVE-2024-20660     Microsoft Message Queuing Information Disclosure Vulnerability

CVE-2024-20662     Windows Online Certificate Status Protocol (OCSP) Information Disclosure Vulnerability

CVE-2024-20663     Windows Message Queuing Client (MSMQC) Information Disclosure

CVE-2024-20664     Microsoft Message Queuing Information Disclosure Vulnerability

CVE-2024-20680     Windows Message Queuing Client (MSMQC) Information Disclosure

CVE-2024-20691     Windows Themes Information Disclosure Vulnerability

CVE-2024-20692     Microsoft Local Security Authority Subsystem Service Information Disclosure Vulnerability

CVE-2024-20694     Windows CoreMessaging Information Disclosure Vulnerability

CVE-2024-21311     Windows Cryptographic Services Information Disclosure Vulnerability

CVE-2024-21313     Windows TCP/IP Information Disclosure Vulnerability

CVE-2024-21314     Microsoft Message Queuing Information Disclosure Vulnerability

Security Feature Bypass Vulnerabilities

CVE-2024-0056     Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability

CVE-2024-0057     NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability

CVE-2024-20652     Windows HTML Platforms Security Feature Bypass Vulnerability

CVE-2024-20666     BitLocker Security Feature Bypass Vulnerability

CVE-2024-20674     Windows Kerberos Security Feature Bypass Vulnerability

CVE-2024-21305     Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability

CVE-2024-21316     Windows Server Key Distribution Service Security Feature Bypass

Spoofing Vulnerabilities

CVE-2024-20690     Windows Nearby Sharing Spoofing Vulnerability

CVE-2024-21306     Microsoft Bluetooth Driver Spoofing Vulnerability

CVE-2024-21320     Windows Themes Spoofing Vulnerability

CAFE TECH: Serving Up SonicWall, One Cup at a Time

/0 Comments/in /by

Catching up with friends and colleagues over a cup of coffee is a time-honored tradition. But what if you could enjoy a coffee break with more than a thousand of your friends at once, keeping them up to date in a way that’s as entertaining and relevant as it is informative?

That’s the idea behind SonicWall’s CAFE TECH, a series of 30-minute videos designed to share useful technical information with a SonicWall spin.

A Robust Beginning

After I joined SonicWall in mid-2020, I’d often invite partners to join me for a cup of coffee. I’d update them on our latest developments and upcoming launches, and they’d share some of their thoughts and ideas.

While I enjoyed these casual chats immensely, I was soon doing 10-15 of these meetings a week — and I still wasn’t able to speak with everyone I needed to. So I had an idea: What if I could scale these catchup meetings in a way that would preserve the casual, intimate feel but would allow me to connect with all the partners in my region, at whatever time worked best for them?

The Café Is Open

The first invite for CAFE TECH was sent in January 2021. Shortly thereafter, I grabbed my trademark SonicWall mug, switched on my camera, and began what would become the longest-running series in SonicWall history.

True to the in-person meetings that were already working well, we kept sessions to 30 minutes, just long enough for coffee and a donut or croissant. And much like the opening of a real-life café, the original approach was hyper-local — sessions were limited to EMEA and were in English only.

The topics were fairly limited, too, generally designed to spread awareness and generate interest around launches. But as we looked at how we could provide more value for our partners, we began transitioning from a product-centric approach to one centered around use cases — and our viewership continued to grow.

A Café on Every Corner

Before long, we soon saw an opportunity to expand CAFE TECH’s footprint. Today, we offer CAFE TECH sessions in German, French, Spanish, Portuguese, Italian and English. Each region works off a single deck, ensuring that the core messaging remains consistent across the globe—but that doesn’t mean we’re taking a cookie-cutter approach. All regions add their local touch, with local language, needs and use cases.

A Coffee to Go

Paradoxically, CAFE TECH opened the door to more in-person interaction. In part due to interest generated by CAFE TECH, we connected with at least 140 different partners in the first six months.

I was recently invited to a roadshow in Italy, where they liked one of our CAFE TECH presentations so much they wanted me to host a live roundtable event based on it. And a CTO at a UK event recently requested help setting up an industry-specific CAFE TECH for healthcare.

There’s also been an uptick in partners running CAFE TECH with their customers. Their distribution team modifies the content for their end customers and then runs it later, often leveraging the same SonicWall regional SE who originally presented.

Finding the Perfect Blend

While the strength of SonicWall’s products and partner community contribute to CAFE TECH’s popularity, it’s bolstered by a philosophy of continuous improvement. Each week I challenge the team: Are we talking enough about use cases? Why does this slide matter? Is this context necessary?

In combination with listening to our partners, this has gradually transformed CAFE TECH from live-action white papers, to a unique offering that partners love and consider high-value. But as we enhanced and expanded our content, we soon realized these sessions might be valuable to end users, too.

The result is a CAFE TECH designed to appeal to not only our most experienced partners and customers, but also brand-new partners and users. We’ve eliminated most of the acronyms in favor of content that even someone who’s brand-new to SonicWall can understand.

To help facilitate this, we’ve moved from presenting on RingCentral to a new home on BrightTalk. We just passed 30,000 viewers on our EMEA BrightTalk channel, and these subscribers are helping grow CAFE TECH’s following: One recent session drew three times the expected number of registrants. Best of all, most stay for the whole session, and nearly a quarter rewatch sessions after the fact.

An increasing number of these attendees are end users. In the less than six months since we opened CAFE TECH up to the public, the percentage of attendees that are customers has grown to more than half. These customers cover the gamut from SMB to enterprise. Some attendees don’t have SonicWall anywhere in their entire ecosystem, and some are people we’ve never even spoken with.

All this success is having a measurable impact on SonicWall’s bottom line in the form of pipeline growth and very high successful close rates. Most importantly, because SonicWall is 100% channel-driven, this success means CAFE TECH is helping our partners to be more successful, too.

What’s Brewing for the Future

Going forward, our goal will be continuing to balance the needs of our longstanding partners, our new partners who have questions like “How can I take an order?”, and our end users, who want to know about value and how solutions make their lives easier.

In the new year, I’d like to have actual customers, partners and distributors discussing what they’ve learned and done, and the outcomes of that. Partners like to hear from other partners who’ve been successful, and customers want to see how to solve their problems.

In the meantime, we’ll be continuing to ensure CAFE TECH is the premier destination for keeping up with SonicWall developments, region-specific advice and industry happenings. And just like with a traditional café, we’re here to serve you — if there’s an idea we haven’t covered, but you’d like us to, you can email me directly and I’ll happily take that on. There’s room for everyone in CAFE TECH, and we welcome the opportunity to connect and collaborate with you.

Click here to explore recent CAFE TECH sessions!