Posts

Critical Vulnerabilities Of Network Security Devices Being Utilized By Mirai Botnet Malware

The SonicWall Capture Labs Threat Research team has received reports about a new Mirai botnet malware targeting network security devices. The Mirai botnet malware attack involves many different brands of connected network security devices that are affected by critical vulnerabilities. The following vulnerabilities are involved:

  • CVE-2020-25506: D-Link DNS-320 firewall exploit
  • CVE-2021-27561: Yealink Device Management remote code-execution (RCE)
  • CVE-2021-27562: Yealink Device Management remote code-execution (RCE)
  • CVE-2020-26919: Netgear ProSAFE Plus exploit
  • CVE-2021-22502: Micro Focus Operation Bridge Reporter RCE
  • CVE-2019-19356: Netis WF2419 Wireless Router Remote Code Execution (RCE)
  • VisualDoor: SonicWall SSL-VPN Remote Command Injection Vulnerability

On March 16, 2021, SonicWall Capture Labs Threat Research team released the following signatures to protect against such attacks:

  • CVE-2020-25506
    IPS:15455 D-Link DNS-320 system_mgr.cgi Command Injection
  • CVE-2021-27561/CVE-2021-27562
    IPS:15456 Yealink DM Remote Code Execution
  • CVE-2021-22502
    IPS:15457 Micro Focus Operations Bridge Reporter Command Injection
  • CVE-2019-19356
    IPS:15458 Netis WF2419 netcore_set.cgi Remote Code Execution
  • VisualDoor: SonicWall SSL-VPN Remote Command Injection Vulnerability
    This is an old vulnerability. SonicWall released the patch for this vulnerability in 2015. There are also existing signatures detecting it:
    IPS:5603 GNU Bash Code Injection (CVE-2014-6271) 2
    IPS:13064 GNU Bash Code Injection (CVE-2014-6278)
  • GAV signatures to cover malware samples:
    GAV: Mirai.LL
    GAV: Mirai.LL_1

 

Bash Code Injection Vulnerabilities Update (Oct 3, 2014)

More GNU Bash vulnerabilities have been disclosed since Sep 25, 2014 and Dell SonicWALL keeps monitoring the Internet and analyzing the vulnerabilities.
Here’s the latest coverage of GNU Bash Code Injection Vulnerabilities:

    CVE-2014-6271

    • IPS sid:10529 “GNU Bash Code Injection Vulnerability (CVE-2014-6271) 1”
    • IPS sid:5603 “GNU Bash Code Injection Vulnerability (CVE-2014-6271) 2”
    • IPS sid:5605 “GNU Bash Code Injection Vulnerability (CVE-2014-6271) 3”
    CVE-2014-6277

    • IPS sid:5667 “GNU Bash Code Injection Vulnerability (CVE-2014-6277, CVE-2014-7186) 1”
    CVE-2014-6278

    • IPS sid:5661 “GNU Bash Code Injection Vulnerability (CVE-2014-6278, CVE-2014-7169) 1”
    CVE-2014-7169

    • IPS sid:5661 “GNU Bash Code Injection Vulnerability (CVE-2014-6278, CVE-2014-7169) 1”
    CVE-2014-7186

    • IPS sid:5667 “GNU Bash Code Injection Vulnerability (CVE-2014-6277, CVE-2014-7186) 1”
    CVE-2014-7187

    • IPS sid:5669 “GNU Bash Code Injection Vulnerability (CVE-2014-7187) 1”

Dell SonicWALL also observed millions of attack attempts during last 9 days, shown below:

The number reaches its peak on Sep 29 then start decreasing. We expect the number keeps dropping to a certain level then remains steady.

OpenSSL Heartbleed: 3 Months Later (July 3, 2014)

More GNU Bash vulnerabilities have been disclosed since Sep 25, 2014 and Dell SonicWALL keeps monitoring the Internet and analyzing the vulnerabilities.
Here’s the latest coverage of GNU Bash Code Injection Vulnerabilities:

    CVE-2014-6271

    • IPS sid:10529 “GNU Bash Code Injection Vulnerability (CVE-2014-6271) 1”
    • IPS sid:5603 “GNU Bash Code Injection Vulnerability (CVE-2014-6271) 2”
    • IPS sid:5605 “GNU Bash Code Injection Vulnerability (CVE-2014-6271) 3”
    CVE-2014-6277

    • IPS sid:5667 “GNU Bash Code Injection Vulnerability (CVE-2014-6277, CVE-2014-7186) 1”
    CVE-2014-6278

    • IPS sid:5661 “GNU Bash Code Injection Vulnerability (CVE-2014-6278, CVE-2014-7169) 1”
    CVE-2014-7169

    • IPS sid:5661 “GNU Bash Code Injection Vulnerability (CVE-2014-6278, CVE-2014-7169) 1”
    CVE-2014-7186

    • IPS sid:5667 “GNU Bash Code Injection Vulnerability (CVE-2014-6277, CVE-2014-7186) 1”
    CVE-2014-7187

    • IPS sid:5669 “GNU Bash Code Injection Vulnerability (CVE-2014-7187) 1”

Dell SonicWALL also observed millions of attack attempts during last 9 days, shown below:

The number reach its peak on Sep 29, 2014 then start decreasing. We expect the number keeps dropping to a certain level then remains steady.