Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity NewswireTechnologies & SolutionsSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceSecurity Education & TrainingCybersecurity News

SonicWall suffers security vulnerability, affecting millions of managed devices and organizations

Dispelling the Dangerous Myth of Data Breach Fatigue; cyber security news
September 8, 2020

United Kingdom security researchers say it took SonicWall more than two weeks to patch a vulnerability in 1.9 million SonicWall user groups, affecting some 10 million managed devices and 500,000 organizations. In a blog released by Pen Test Partners, the researchers explained that the vulnerability, an insecure direct object reference (IDOR) in the ‘partyGroupID’ API request, allowed any user to be added to any group at any organization.

"Using this degree of access, one could modify firewall rules and/or VPN access, giving oneself remote access in to any organization," says the researcher. "One could inject ransomware, or any manner of other attacks should one so wish. That’s a breach of customer networks directly as a result of their security products."

In an email statement to SC Media, SonicWall said a vulnerability in its cloud-based product registration system was quickly researched, verified and promptly patched on August 26. About two weeks earlier, SonicWall said it had identified the reported vulnerability as part of its PSIRT program (the notification from Pen Test Partners) and rapidly created a fix that underwent full testing and certification.

"SonicWall claims that at no time did it detect or become aware of any attempted exploitation of the vulnerability in the cloud-based product registration system. The company says the fix was successfully applied to the cloud system and says no action is required by end users," writes SC Media.

But Ken Munro, partner and founder of Pen Test Partners, claims otherwise, saying that after several days of prodding, Pen Test Partners reached out to Sonic Wall CEO Bill Conner, who responded two hours after being contacted. The fix was then executed just two days later – 17 days after Pen Test Partners contacted the company. “We should have not had to reach out to the CEO to get this issue accelerated,” Munro said. “There was only one part of the API that had the flaw. It should have been taken down, but instead it left the customer base exposed for at least 14 days. This patch should have been done very quickly.”

Heather Paunet, Senior Vice President of Product Management at Untangle, a San Jose, Calif.-based provider of comprehensive network security for SMBs, says, "Vulnerabilities within software applications and software services are found and reported every day at an alarming rate if you think about the potential consequences. As of September 3, 2020, there have been 107 CVE’s (Common Vulnerabilities and Exposures) reported to the National Vulnerability Database for the month of September, which sounds like a lot for being only 3 days into the month. There were a total of 1240 entries found and reported in August 2020.  Each time a vulnerability is found, and subsequently blocked, software applications and services become more robust against different types of cyber-attacks because of it."

"Pen Test Partners make it their goal to test and evaluate software applications and services to see if they can find ways to access data, access user accounts, and find ways into systems that could be used to disable, or steal data from those services. Many software vendors employ the services of Pen Test Partners specifically to find those holes before anyone else can find them," explains Paunet. 

Ultimately, once Pen Test Partners reports a vulnerability, vendors, such as SonicWall in this case, need to assess the issue, validate that it’s a real issue in the context of how it was reported, quickly assess the effects it will have on users of their software, and make a plan to address it, says Paunet. "The response of any vendor depends on that assessment. In this case, the issue was that any user, no matter what their privileges, could be elevated to have full administrative privileges to make changes to the SonicWall systems. Any such user would then have control over how a corporate network behaves, including who could get access to the network. The worst case examples are that a malicious user with these privileges could open up the network completely by changing firewall rules, allowing for even the most basic of data breaches to occur."

When assessing this vulnerability, SonicWall would be taking into account how likely this vulnerability was to be discovered, whether the vulnerability had been made public, and whether the fix that they applied would have any unforeseen consequences, adds Paunet. "Ideally, fixing any data breach as soon as possible is the best path to take. However, there are other considerations when making a lightning fast code modification. Any time code is modified, running a full regression test will make sure that everything continues to work as intended. In the case of SonicWall’s cloud management system, foregoing a full Quality Assurance test cycle could be just as dangerous with its own side effects, similar to if this identified vulnerability was left unchecked. Side effects of not fully going through regression tests could also result in taking down, exposing access to, or breaking a customer’s network."

"While we don’t know the internal discussions that happened at SonicWall, as a security vendor themselves, they had to have considered those implications when putting a timeline on their fix. Essentially, as soon as the vulnerability was discovered, and made known, it became a race against time between hackers finding and using the vulnerability to their advantage, and SonicWall closing it off," Paunet concludes. 

Rick Moy, Vice President of Marketing at Tempered Networks, a Seattle, Wash.-based network security provider, notes, "This is a good case for organizations not rolling their own authentication and authorization code without serious justification and investment. Kudos to the CEO for getting it and acting quickly. Hopefully, this will be a learning experience that spreads the sense of urgency throughout the organization. With that being said, in 2020, an indirect secure object reference vulnerability (IDOR) on a cloud security service is hard to justify since it’s been on the OWASP Top 10 since 2007. As security vendors, we must hold ourselves to a higher standard."

KEYWORDS: cyber security information security risk management security vulnerability

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Logical Security
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Internal computer parts

Critical Software Vulnerabilities Rose 37% in 2024

Coding

AI Emerges as the Top Concern for Security Leaders

Person working on laptop

Governance in the Age of Citizen Developers and AI

Half open laptop

“Luigi Was Right”: A Look at the Website Sharing Data on More Than 1,000 Executives

patient at healthcare reception desk

Almost Half of Healthcare Breaches Involved Microsoft 365

2025 Security Benchmark banner

Events

June 24, 2025

Inside a Modern GSOC: How Anthropic Benchmarks Risk Detection Tools for Speed and Accuracy

For today's security teams, making informed decisions in the first moments of a crisis is critical.

August 27, 2025

Risk Mitigation as a Competitive Edge

In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • apple device security

    Apple warns of cybersecurity vulnerabilities affecting millions of devices

    See More
  • wifi-freepik

    Wi-Fi vulnerability may put millions of devices at risk

    See More
  • Fraud Cybersecurity Banking in Canada

    Massive Vulnerability Found Across 100's of Millions IoT Devices

    See More

Events

View AllSubmit An Event
  • August 27, 2025

    Risk Mitigation as a Competitive Edge

    In today’s volatile environment, a robust risk management strategy isn’t just a requirement—it’s a foundation for organizational resilience. From cyber threats to climate disruptions, the ability to anticipate, withstand, and adapt to disruption is becoming a hallmark of industry leaders.
View AllSubmit An Event
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing