- BishopFox scanned the internet for SonicWall VPNs and found hundreds of thousands that can be accessed over the internet
- Tens of thousands were using old, vulnerable software versions
- Some were already past the end of their lives, putting them at risk of attack
Tens of thousands of SonicWall VPN firewall platforms are vulnerable to a variety of flaws, putting their users at risk of remote exploitation, data breaches, privilege escalation, and more.
Cybersecurity researchers at BishopFox scanned the internet with Shodan and BinaryEdge and used proprietary scripts to analyze the returning data. They found that there were 430,363 endpoints exposed to the Internet.
While this doesn’t necessarily mean they’re vulnerable, endpoints like these shouldn’t be connected to the wider internet to begin with, as it means crooks could try to access them and look for holes.
End of life
“The management interface on a firewall should never be made public as this introduces unnecessary risk,” BishopFox said in its report. “The SSL VPN interface, while designed to provide access to remote clients over the Internet, should ideally be protected by source IP address restrictions.”
Digging deeper, BishopFox found that nearly 120,000 endpoints were running versions affected by severe vulnerabilities, including 25,485 endpoints with critical flaws and 94,018 endpoints with high-severity bugs. Additionally, they said 20,710 endpoints were running versions of the software that are no longer supported by the vendor.
This provides a fairly large attack surface for threat actors to exploit. SonicWall SSL VPN devices are often targeted by various campaigns, including the recent attacks from both Fog and Akira ransomware groups. These threat actors exploited flaws to gain initial access to corporate networks, where they later deployed ransomware encryptors and wreaked havoc on corporate infrastructure.
To counter the threat, companies must ensure that they always have the latest versions of their software and that their endpoints are still supported by their respective vendors.
Via BleepingComputer