The impact of this issue announcement is high. Please act accordingly to rectify the issue, as stated below.
SonicWall SMA 100 and SMA 1000 series appliances, as well as any firewall products, including TZ, NSa, NSA, NSv, SuperMassive and NSsp series with SSL-VPN enabled.
What you need to know:
There exists a potential domain name collision vulnerability in SonicWall SSL-VPN technology that could result from a security misconfiguration of the impacted products.
Basically, when administrative limits of private and public namespaces overlap, naming resolution can often lead to detrimental effects.
According to SonicWall, they are not aware that the reported vulnerability has been exploited or that any customer has been negatively affected with the said bug.
Actions to be taken:
Enterprises running SonicWall SMA 100 and SMA 1000 series appliances, as well as any firewall products, including TZ, NSa, NSA, NSv, SuperMassive and NSsp series with SSL-VPN enabled, should implement the following procedures as soon as possible:
For SonicWall SMA 100 series:
- Configure the domain names different from the AD/LDAP names and existing internal domain names.
- Hide the SMA domain list by enabling the Hide Domain list on portal login page in SMA 100 portal settings.
For SonicWall SMA 1000 series
- For Microsoft Active Directory (Advanced) authentication servers, ensure that the option labelled ‘Users can choose from a list of domains’ is not selected. This is the default configuration.
For SonicWall Firewalls (SSL-VPN Server Settings)
- Do not show entire internal domain name in the ‘User Domain’ field
In a nutshell, administrators are recommended not to put internal fully qualified domain names (FQDN), such as ‘name.company.com,’ into the ‘User Domain’ field. Instead, a generic name such as ‘LocalDomain1 can be used,’ which can’t be resolved by DNS server.
What is the impact of not doing the actions?
An attacker knowledgeable with the organisation’s internal domain name can possibly take advantage of a domain name collision vulnerability.