Posts

Wind River VxWorks and URGENT/11: Patch Now

Notice: SonicWall physical firewall appliances running certain versions of SonicOS utilize third-party TCP/IP code for remote management that contain vulnerabilities named URGENT/11. At this time, there is no indication that the discovered vulnerabilities are being exploited in the wild, however:

SonicWall STRONGLY advises to apply the SonicOS patch immediately. Patches are available for all recent SonicOS versions. Detailed instructions are provided in the Security Advisory.

SonicWall provides the patched versions of SonicOS at no charge, including for customers not currently covered by an active support contract. SonicWall also recommends updating to the latest SonicOS release (6.5.4.4), which provides firewall capabilities to help protect other devices vulnerable to URGENT/11.


Wind River VxWorks and URGENT/11 vulnerabilities

Security researchers at Armis have discovered and responsibly disclosed 11 vulnerabilities in the TCP/IP stack of Wind River’s VxWorks real-time operating system, which is utilized by millions of devices around the world, as well as in space, on Mars and in certain versions of SonicOS. The Wind River VxWorks TCP/IP stack, named IPNET, contains vulnerabilities that have been given the name “URGENT/11.”  The one material vulnerability type that impacted SonicOS is addressed by the patch releases.

Unmanageable & un-patchable: The Wild West of IoT

Wind River VxWorks is a real-time operating system that is widely used in IoT and embedded applications, such as networking, telecom, automotive, medical, industrial, consumer electronics, aerospace and beyond.

While firewalls are charged with protecting perimeters of organizations, they are actively managed and monitored devices, frequently from a central location. For every firewall, there is a human who wakes up each morning with a question, “Is my firewall working? Is it up to date?” Within days of an update becoming available, these humans schedule a maintenance window and close the security gap.

However, for the overwhelming majority of other devices connected or exposed to the internet, there is no such human, and the number of these IoT devices is larger than that of firewalls by several orders of magnitude. It is this multitude of connected devices that are not actively managed or patched that poses an iceberg-like risk to the internet.

Vulnerabilities are eventually discovered for even the best software, and the security of the internet and the online ecosystem relies on the ability to roll out and deploy the fixes.

In the mid-year update to the 2019 SonicWall Cyber Threat Report, SonicWall Capture Labs threat researchers have already logged 13.5 million IoT attacks, which outpaces the first two quarters of 2018 by 54.6%.

This reality is taking hold in the minds not only of security practitioners, but also of government regulators, as the hundreds of millions of IoT devices are found to be vulnerable and remain unpatched.

This is one of the risky underbellies of the internet, led by the explosion of IoT devices, including consumer-grade devices that are frequently deployed at the edge of the internet and then forgotten for a decade. IoT’s broad reach should reverberate through several industries as a wakeup call.

‘Never stop patching’

The weaponization of published vulnerabilities against old software serves as an important reminder that customers should never procrastinate software updates, which are one of the most important steps you can take to secure your infrastructure against today’s rapidly-evolving threat landscape.

Do not ignore them or put them off. Patch now. And never stop patching.

SonicOS 6.5, the Biggest Update in Company History, Delivers Powerful Security, Networking and Usability Capabilities

Keeping organizations running safely, while improving business and user productivity in today’s accelerating threat environment, continues to be a non-trivial task for IT leaders. At the current pace of cyber attacks, we understand all too well that the effects of recent events, such as the Equifax, WannaCry and NotPetya attacks, have demonstrated their capacity to change the global business environment from normal to total hysteria in the blink of an eye.

When news breaks on new data breaches, we see a surge in conversations with our SonicWall partner and customer communities about security and risk assessments. These engagements reinforce our development commitment to ensure every new product release delivers more tools and capabilities to protect their networks and data, and subsequently avoid the unnecessary breach.

Delivering on that commitment, I am thrilled to introduce SonicWall’s biggest firewall feature release in its history. SonicWall SonicOS 6.5 is packed with powerful security, networking and usability capabilities, and meets the security operation requirements of organizations of various sizes and use cases. SonicOS 6.5 focuses on empowering IT leaders and their security teams to:

  • Elevate their breach detection and prevention capacity
  • Manage and enforce security controls across the entire organization
  • Bring the latest in wireless speed, performance and security for cloud and mobile users
  • Scale firewall networking, connectivity and performance for uncompromised, uninterrupted network services

SonicOS 6.5 delivers the following customer-focused outcomes as part of SonicWall’s expanding Automated Real-Time Breach Detection and Prevention Platform.

1. Bolster breach prevention capabilities for wired, wireless and cloud-enabled network environments

  • SonicOS 6.5 includes 60-plus new features, nearly half of which focus on enabling the latest Wi-Fi standard, 802.11ac Wave 2, to deliver matching network security performance, connectivity and security between wired and wireless networks.
  • The combination of SonicWall firewalls and the new SonicWave 802.11ac Wave 2 series of wireless access points gives customers the assurance that their users have uninterrupted, secure and fast access to business services and resources over wired and wireless connections.
  • Built-in features, like Wireless Deployment Tools, greatly aid in planning and building a robust wireless infrastructure, while Band Steering, Airtime Fairness and others improve the overall wireless service quality and performance to give users a safe, productive wireless experience. This helps eliminate dropped connections and slowness anytime, anywhere and in any environment within the workplace. Moreover, Dynamic VLAN assignment segments wireless users based on their roles and group associations to prevent advanced threats from spreading.
  • SonicOS 6.5 expands the threat API capabilities to help customers establish a path toward security automation. Through greater firewall collaboration with third-party security ecosystem, the firewall can automatically pull external intelligence sources for threat detection and protection, and security policies enforcement. For example, our Dynamic Botnet List feature enables customers to program their firewalls to download private third-party lists that contain desired security information, such as malicious IP and URL addresses, that they want the firewall to block for additional threat coverage.
  • For distributed organizations that have offices operating on different network domains, the new multi-domain security management capability in SonicOS 6.5 helps them manage and enforce discrete security policies across those domains. Based on service levels, risk tolerance, compliance and/or legal requirements, administrators can apply identical security controls to all domains or specific policy to a single domain or group of domains. This flexibility helps reduce the attack surface, eliminate security gaps, isolate risks and prevent any lateral movement of backdoor, network-based attacks, such as WannCry and NotPetya.

2. Increase scalability and connectivity of the firewall system

  • Advances in Layer 2/3 network and connectivity help customers optimize system availability and performance, and scale the firewall to deliver uncompromised, uninterrupted threat protection for every connected network domain. Supported on all SonicWall next-generation firewall (NGFW) models, including the newest NSA 2650, SonicOS 6.5 also supports daisy-chaining and management of Dell X-Series switches, Virtual Wire Mode, Dynamic LAG using LACP and Equal Cost Multi-Path (ECMP).
  • Using multi-domain security management in conjunction with virtual wire mode gives customers the ability to micro-segment and manage their virtual networks. These also provide independent security management, policies, controls and scanning to each virtual network with its separate security zone.

3. Improve ease of use and firewall management

  • SonicOS 6.5 introduces a completely redesigned user interface (UI) for a fresh, productive user experience (UX). This new UI gives users an executive dashboard loaded with security, user and traffic information. It also offers an organized, familiar and easily-understood menu-driven security management console. The dashboard presents a consolidated view of the live firewall security environment. This view includes a threat index, security events and data, network performance and connectivity, and application and bandwidth usage. The intuitive UI lets users complete security tasks faster, and with greater ease, from a single-pane-of-glass.

SonicWall Expands Scalability of its Next-Generation Firewall Platforms and DPI SSL to Address Encrypted Threats

Day after day, the number of users is growing on the web, and so is the number of connections. At the same time, so is the number of cyberattacks hidden by encryption. SonicWall continues to tackle the encrypted threat problem by expanding the number of SSL/TLS connections that it can inspect for ransomware.

Today, a typical web browser keeps 3-5 connections open per tab, even if the window is not the active browser tab. The number of connections can easily increase to 15 or 20 if the tab runs an online app like Microsoft SharePoint, Office web apps, or Google Docs. In addition, actions such as loading or refreshing the browser page may temporarily spike another 10-50 connections to retrieve various parts of the page. A good example this scenario is an advertisement heavy webpage that can really add connections if the user has not installed an ad blocker plugin. Also keep in mind that many ad banners in web pages embed a code to auto-refresh every few seconds, even if the current tab is inactive or minimized. That said, it makes a lot of difference how many browser tabs your users typically keep open continuously during the day and how refresh-intensive those pages are.

We can make some assumptions on the average number of connections for different types of users.  For example, light web users may use an average of 30-50 connections, with peak connection count of 120-250.  On the other hand, heavy consumers may use twice that, for up to 500 simultaneous connections.

If a client is using BitTorrent on a regular basis that alone will allocate at least 500 connections for that user (with the possibility to consume 2,000+ connections). For a mainstream organization it is safe to assume that on average 80% of the users are considered as light consumers, whereas the remaining 20 percent are heavy consumers. The above numbers will provide a ballpark of a few hundred thousand connections for a company of 1,000 employees – 3 to 5 times higher than the number of connections for the same organization a decade ago.

With all the changes in browser content delivery and presentation, as well as users’ advanced manipulation of the web and its content, it’s necessary for SonicWall to address the forever increasing demand in the number of connections to satisfy the customer need and provide them with a better user experience. In the recently released SonicOS 6.2.9 for SonicWall next-gen firewalls, our engineering team has increased the number of stateful packet inspection (SPI) and deep packet inspection (DPI) connections to better serve this need.

Below is the new connection count  for Stateful Packet Inspection connections for SonicWall Gen6 Network Security Appliance  (NSA) and SuperMassive Series firewalls in the new SonicOS 6.2.9 when compared to the same count in the previous 6.2.7.1:

SPI Connection Chart

In addition, the number of DPI connections has increased up to 150 percent on some platforms. Below is a comparison of the new connection count in SonicOS 6.2.9 against SonicOS 6.2.7.1.
DPI Connection Chart

Finally, for security-savvy network administrators we have provided a lever to increase the maximum number of DPI-SSL connections by foregoing a number of DPI connections. Below is a comparison of the default and maximum number of DPI-SSL connection by taking advantage of this lever.

Increase Max DPI SSL Connections Chart

We also enhanced our award winning Capture ATP, a cloud sandbox service by improving the user experience of the“Block Until Verdict” feature, which prevents suspicious files from entering the network until the sandboxing technology finishes evaluation.

In addition, SonicOS 6.2.9 enables Active/Active clustering (on NSA 3600 and NSA 4600 firewalls), as well as enhanced HTTP/HTTPS redirection.

Whether your organization is a startup of 50 users or an enterprise of few thousand employees, SonicWall is always considering its customers’ needs and strives to better serve you by constantly improving our feature set and offerings.

For all of the feature updates in SonicOS 6.2.9, please see the latest SonicOS 6.2.9 data sheet (s). Upgrade today.