SonicWall

SonicWall urges customers to ‘immediately’ patch a post-authentication vulnerability impacting on-premises versions of the Network Security Manager (NSM) multi-tenant firewall management solution. The vulnerability tracked as CVE-2021-20026 affects NSM 2.2.0-R10-H1 and earlier and it was patched by SonicWall in the NSM 2.2.1-R6 and 2.2.1-R6 (Enhanced) versions. SonicWall rated it with an 8.8/10 severity score and authenticated attackers can exploit it for OS command injection in low complexity attacks that don’t require user interaction. “This critical vulnerability potentially allows a user to execute commands on a device’s operating system with the highest system privileges (root),” SonicWall explains. “This vulnerability only impacts on-premises NSM deployments. SaaS versions of NSM are not affected.” While the company did not mention an immediate danger of attackers exploiting this vulnerability or active in the wild exploitation, SonicWall is urging customers to patch their devices immediately. “SonicWall customers using the on-premises NSM versions outlined below should upgrade to the respective patched version immediately,” the company said. When asked to comment earlier today, SonicWall refused to provide any details regarding CVE-2021-20026 active exploitation and replied with the information available in the security advisory. Several SonicWall zero-days abused in the wild this year Threat actors have targeted multiple SonicWall appliance vulnerabilities this year, several of them zero-days actively exploited in the wild before the company released patches. In February, SonicWall patched an actively exploited zero-day impacting the SMA 100 series of SonicWall networking devices. A financially motivated threat actor, tracked by Mandiant threat analysts as UNC2447, exploited another zero-day in SonicWall SMA 100 Series VPN appliances to deploy newly discovered FiveHands ransomware on the networks of North American and European targets. The same zero-day bug was also abused in attacks targeting SonicWall’s internal systems in January and later indiscriminately abused in the wild. In March, SonicWall patched three more zero-days exploited in the wild and affecting the company’s on-premises and hosted Email Security (ES) products. As Mandiant found while investigating the attacks, these zero-days were abused by a group tracked as UNC2682 to backdoor systems using BEHINDER web shells which allowed the attackers to move laterally through their victims’ networks and access emails and files. NOTE:: This article is copyright bybleepingcomputer.com and we are using it for educational or Information purpose only Click Here to visit the official store of SonicWall in Pakistan      

How Can I track emails coming in to Sonicwall Email Security? Tracking emails. You can trace a particular email and find out if it ever hit the sonicwall device and or it was rejected, deleted, Junked or bounced. Any email that hits the Email security device irrespective of being rejected, deleted, bounced, junked, gets recorded in a log file called “Mfe” Please follow the following steps to get to the log:   Login into the device as “admin” Go to Manage | System Setup | Server | Advanced |download system/Log files: Logs: Mfe (select from the drop down as shown below) It will display logs with dates on it as the file name. Select the date which you want to track emails for and do a search on the email. You can search using the sender’s or recipients email address or subject of the email. The log entries would show the message location, Message threat, Sender’s IP, date and time sent to, along with other information. To view it in readable format, open the log file in MS excel. Message Location category: ju= Junk box rj = rejected dv = delivered qu = queued bo = bounced Message Threat Category: ddha = Definate directory harvest attack dspm= Definate Spam lspm = Likely Spam dvir = Definate Virus lvir = Likely Virus dphi= Definate Phishing lphi = Likely Phishing good = good email (no Threat) Plyt = Policy Threat Example of 1 email’s Mfe log entry: 5     px    i     ju   dspm   192.168.6.110_    —-  ————–    —————   —–    —-  ——-p—-      ————      200911160004590086296      testmail@sonicwall.com  –  testaccount@test.com    testaccount@test.com    “John Smith”      Your credit balance is over its limit     3289  emailsecurity     192.168.1.10      25    collab      –     –     rules:rules:Score=-31.26      518d52eee664842c  en_US      <000d01ca6655$931ac960$6400a8c0@withoj2>  192.168.6.110     Conclusion: Version= 5 Inbound/outboud = i Msg/Location= ju MsgThreat= dspm GotfromIP = 192.168.6.110 MlfUniqueId = 200911160004590086296 EnvRcptTo = testmail@sonicwall.com EnvMailFrom = testaccount@test.com HdrFromAddr = testaccount@test.com HdrSubject = your credit balance is over its limit MsgSizeInBytes= 3289 NqMlfHost = emailsecurity NextHopServer = 192.168.1.10 NextHopPort = 25 Categories = collab Reason = rules:rules:Score=-31.26 SecuritySecret = 518d52eee664842c MsgLanguage = en_US (English- US) Message-ID = <000d01ca6655$931ac960$6400a8c0@withoj2> FirstTouchIP = 192.168.6.110

What is Directory Harvest Attack? A Directory Harvest Attack or DHA is a technique used by spammers to find valid/existent  email addresses at a domain either by using Brute force or by guessing valid e-mail addresses at a domain using different permutations of common username. Its easy for attackers to get hold of a valid email address if your organization uses standard format for official e-mail alias,   EXAMPLE:  jsmith@example.domain, johns@example.domain, or johnsmith@example.domain How Can we protect against Directory Harvest Attack (DHA) ? Spammers can threaten your network with junk mail if they get a list of all users in an organization’s directory or can guess email addresses from your organization. DHA Protection Feature of Email Security can help to protect organizations vulnerable to increased attacks on their email and other data systems. To use DHA feature Login onto the Email security Server as Admin Go to Manage | Security Services | Connection Management | Directory Harvest Attack (DHA) Select from the following options for handling email addressed to people who are not in your directory: ⦁ Directory Harvest Attack (DHA) protection off (process all messages the same whether or not the email address is in LDAP)- This option means DHA protection is OFF  ⦁ Permanently delete–  This option will delete any email that comes in for an Invalid Email address. The deleted email cannot be retrieved.  ⦁ Reject invalid addresses (Tarpitting)– This option will reject the email if it is going to an Invalid email address and tarpits the connection for the amount of time selected. (0-3 seconds, best set to 0 as optimal)  CAUTION: Enabling tarpitting protection uses system resources (CPU, memory) and may slow down your server. Also, rejecting is not truly a form of DHA Protection, but it can slow down the sending machines, but as a side effect, the delay you impact also delays your machine. ⦁ Always store in Junk Box – This option will store emails going to invalid users in Junk box regardless of any spam rating.   You can also setup DHA based on Domain names by setting the following: ⦁ Apply to all recipient domains– This Option, when selected, would apply the above DHA settings to all the recipient domains on your network.⦁ Apply only to the recipient domains listed below– This Option will allow you to enable DHA only for domain names listed in the box⦁ Apply to all recipient domains except those listed below– This Option will allow you to disable DHA only for domain names listed in the box  NOTE: you can add multiple domains in the box separated by <CR>    DHA takes a priority regarding how emails are judged. Once a message is detected as DHA will not go through any other actions and will abide by you DHA selection.   To use the DHA feature on email security you will first need to configure LDAP configuration on email security server. This will pull all the users and email address from your LDAP server and email security will recognize valid emails using the LDAP configuration. Make sure you see all valid users under Manage|Users, Groups & Organizations|Users on Email security server after you configure LDAP.  NOTE: If the navigation or the screenshot looks different from the one mentioned above , you may be in an older firmware version and would require a firmware upgrade. Please refer the link below to upgrade the firmware to latest version.

How Can I Enable Flood Protection For Outbound Emails? RESOLUTION: Please login on the WebUI as admin. Navigate to Manage | Security Services | Anti-Virus tab and click on the Outbound tab. Scroll all the way towards the bottom of the page and you will see a flood protection section. Click on the ” Enable Flood Protection” check box. Go to action settings and set the threshold and also action for messages if they cross the limit set in threshold ( Example below shows threshold set to 250 messages sent by one user in one hour, the messages will be stored in junk box once the user crosses the threshold). Click ” Apply Changes” to save the settings  ITBrands.pk is the official partner of SonicWall in Pakistan