back to article SonicWall flags critical bug likely exploited as zero-day, rolls out hotfix

SonicWall is warning customers of a critical vulnerability that was potentially already exploited as a zero-day. The bug affects SonicWall's Secure Mobile Access (SMA) line, specifically the SMA 1000 product. The company stated in an advisory on Thursday that a remote unauthenticated attacker could execute arbitrary OS …

  1. Doctor Syntax Silver badge

    Sonic Wall, FortiNet, Cisco, all the rest: aren't they supposed to be protecting their customers' networks?

    1. IGotOut Silver badge

      No.

      They are designed to replace Chinese firewalls with security holes that the Chinese could exploit, with homegrown ones that anyone can exploit.

      1. ecofeco Silver badge

        Perfect description is perfect.

  2. PCScreenOnly

    Three

    Wonder if this is their issue?

  3. John Klos

    SonicWall is still a thing?

    With their comically bad approach to security - security through stupidity, I call it - I'm surprised that anyone still buys SonicWall.

    From EOL'ing devices that are literally identical hardware to new devices, to charging for security updates even when still in warranty, to having tech support that tells us nonsense such as how we can't have arbitrarily long TCP connection timeouts because all TCP connections must expire quickly (let's assume we're not talking about past 2038 and just talking about connections that could live multiple days or weeks), about how ALL computers connected directly to the Internet will be compromised without firewalls, about how forging RST between machines communicating across local subnets is a FEATURE, is good and "improves security", about how VPNs are "complex" and SonicWall-to-SonicWall connections that don't work consistently is a "normal and expected" problem...

    I have quotes saved from SonicWall support about all these things. They must be really good at marketing.

    1. Nate Amsden

      Re: SonicWall is still a thing?

      I've been using Sonicwall as basically L4 firewalls and site to site VPN since early 2012 without much issue. Current firewalls go EOL next year that would make about 8 years of service for those Gen 6 units. I think their SSL VPN on the firewalls is no good (though usable for the most basic use cases). I remember evaluating their SMA SSL appliances many years ago and ruled them out right away as they lacked the ability to do full duo prompt integration (Sonicwall firewalls can't either). Their early Gen7 stuff was pretty buggy though seems better now. Gen5 was ok for me as well (my first exposure to Sonicwall).

      For me initially Sonicwall was only going to be used as a site to site VPN, and speaking of marketing, the VAR I was working with at the time (knowing my use case of IPSec VPN ONLY) was trying to push Palo Alto firewalls to me at probably 4-6x the cost. PAN is a fine product but super overkill for only site to site VPN(and the suggested model had a fraction of the IPSec throughput of Sonicwall). I have since expanded use cases to layer 4 edge firewalls as well and they work fine in that regard, very few issues. I haven't touched their layer 7 stuff, assuming there are more bugs there.

      As for long TCP timeouts, all depends on how long you want.. I don't think I've ever needed to set something for longer than an hour or two. I did work at one place where the network engineer set their Cisco ASAs to have ~1 week timeouts then struggled with semi quarterly firewall outages where they had to power cycle both firewalls to get them working again. Neither they, nor Cisco support were smart enough to do something as simple as check the state table, then realize hey those 500k entries are the limit of the hardware, then check the timeouts... after I joined and saw that happen I had him fix it, and started monitoring it, states never went above about ~2000 after that, and nobody complained that I recall. The original reason for the 1 week timeouts he said was people were complaining their sessions were being killed.

    2. Anonymous Coward
      Anonymous Coward

      Re: SonicWall is still a thing?

      "how ALL computers connected directly to the Internet will be compromised without firewalls"

      I remember turning on incoming-connection logging on my router 20 years ago. There were a couple attempts per minute to get to common Windows ports. ISTR reading that the average time for an unprotected XP machine (20 years ago!) that was net-accessible to be compromised was under 15 minutes. I have no reason to believe these things have changed.

      1. Kevin McMurtrie Silver badge
        Holmes

        Re: SonicWall is still a thing?

        You need a firewall for your firewall, otherwise your firewall is connected directly to the internet and will be compromised.

      2. ecofeco Silver badge

        Re: SonicWall is still a thing?

        Things have changed a lot. Now it's about 15 seconds.

        Not even joking.

  4. harrys Bronze badge

    Always wondered why peoples would choose this for their SME customers over pfsense?

    First time I came across a sonicwall, looked at its pricing structure and thought jeez the monies i can save the customer with a vastly superior, but above all OPEN SOURCE, product

    swapped over quite a few in my time

    closed source ..... "sales tactic to maximize revenue by hiding technical debt" :)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like