Not a good summer/fall for SonicWALL. Their partner communication has also been abysmal.
2 Likes
Sonic wall has and always will be a trash company and firewall.
1 Like
MySonicWall Cloud Backup has become…“TheirSonicWall Cloud Backup”
Why hack the firewall when you can dumb the config backups and log in?
2 Likes
I mean, pfsense does the same, and correct me if I’m wrong, but haven’t you in the past recommended it? Who knows, I have memory issues. Just a reminder, I’m disabled.. but still doing what I can to do homelab stuff.
I saw David Bombal did a vid on it, saying that he finds it funny when ppl say bruteforcing no longer works
I’m no cybersecurity expert, by any means, but I do use massively long, password manager generated passwords for encryption before backing up to the cloud.
That said, I know there’s a lot more to how a “secure algorithm” can be hacked than just the password or key, i.e. how it’s implemented.
One example… some 2-way radios I have that have AES-256 over DMR as an option, received a fw update b/c they were previously not randomizing the initialization vector. I had never even heard of an IV prior to this fw update.
I guess the question remains… WHAT was being bruteforced? Also, did sonicwall implement encryption for their backups correctly? And for me, does pfsense have correct implementation?
The same goes for s3 backups in Truenas. Sure, I back up my most important datasets offsite, filling in both fields (can’t remember… the password and the salt???) again with massively long strings, but are THEY using proper implementation of their encryption?? who knows.
1 Like
Sonicwall did not use encryption for their backups which is the issues. When you use the feature in pfsense you have to set the password for the encryption that they don’t have thus avoiding this issue.
1 Like
“While credentials within the files were encrypted, the files also included information that could make it easier for attackers to potentially exploit the related firewall.”
This is straight from sonicwall’s website. Unbelievable.
1 Like
At least they were storing the creds withing the configs properly, all though I am not sure how good the hashing algorithm they used was.
1 Like
True. There is a partner briefing today, I’ll post back if there’s anything juicy.
If the algorithm is anything like the default IPsec vpn settings were until recently (3DES lol) I don’t have much faith.
reminds me of the LastPass breach, where url’s and other data were left unencrypted. I think only the user name and password were encrypted.
So after the meeting I came away with a few things:
The files are base 64 encoded, and the secrets/keys were AES-256 Encrypted, the admin password to the firewall was not included in the settings file.
My concerns are still that someone could just import this config file to a vanilla sonicwall, then login and impersonate your site to site vpn tunnels, (if you don’t have it locked down to the ip of your sites, which you should). And, they will now know your network layout, subnets, vlans, etc though how valuable this is to attackers who knows. But address objects like domain controllers and other servers would give them an easy direction if someone were to get in.
1 Like
Just came here to ask, has it ever been a good season at all for SonicWall? I don’t think they’ve ever had a positive time in history lol.
1 Like
Not that I can recall. I have never had a positive interaction with their product line.
The Gen 6 line was pretty good, probably had the least amount of issues with those. Unfortunately I’m forced into using them at work. But have replaced some of them with Netgate where I can.
Most clients I come into the firewall is just tossed in and nothing is set up. May as well just use the ISP provided kit if you’re just going to do that.
Same here, I managed them for a place for a few years and they were absolutely awful, buggy, insecure, and honestly their UI is just ugly and a pain to work with lol.