Ethical hackers from the Dutch company Computest Security have found a vulnerability in a SonicWall VPN server. These vulnerabilities allowed them to take over the server and potentially access the internal company network with sensitive data.
Computest Security advises companies using the servers to immediately update them. This can be done through the patch that has now been made available. The vulnerabilities found confirm the need for more attention to peripheral security, such as VPN servers, routers, and firewalls.
Computest Security’s team of ethical hackers, including Daan Keuper, already demonstrated the vulnerability of peripherals or “edge devices” last year. They found vulnerabilities in a QNAP router during the international hacking competition Pwn2Own and in a network drive from TrueNAS. This prompted the team to further investigate other edge devices, such as the SonicWall VPN server.
Vulnerability in login protocol
The hackers found vulnerabilities in the login protocol, among other things. When logging into the VPN server, a user enters a username and password to start the session. This session is identified with a unique number. With every command that is subsequently issued, the system knows it is this user. The session number should be untraceable. However, the Computest Security team could predict the numbers and thus easily impersonate a user and theoretically move through the corporate network unseen.
Misusing information for attacks
Computest Security reported the vulnerabilities, and SonicWall has since made a patch available. However, there is now a risk that ransomware groups could try to access other devices with the knowledge of this vulnerability. They can misuse the information to attack these SonicWall devices. Therefore, installing the available security updates for these devices as soon as possible is essential.
In addition, Computest Security is also seeing that with the improved security of endpoints, which were previously a popular target, cybercriminals and state actors are shifting their focus to edge devices. Attacks on these devices are increasing and, therefore, require more attention.
Compliance risk from Cyber Resilience Act
Thus, more focus on security of edge devices is necessary, not only from the companies using the devices but also from manufacturers, distributors, and importers of the devices. They face a serious compliance risk with the Cyber Resilience Act, which also came into force for the Netherlands at the end of 2024.
The law states that digital products such as VPN servers and routers are critical network components and require them to meet extra stringent security standards and be secure throughout their life cycle.
All parties still have until 2027 to prepare for the law, after which they can expect oversight and significant fines if the security of devices is not ensured.
Also read: SonicWall expands SASE portfolio with acquisition of Banyan Security