Security researchers in the United Kingdom said it took SonicWall more than two weeks to patch a vulnerability in 1.9 million SonicWall user groups, affecting some 10 million managed devices and 500,000 organizations.

In a blog released by Pen Test Partners, the researchers said the response took far too long for this type of flaw. SonicWall countered by saying that the company responded promptly and no vulnerabilities were exploited.

According to the blog, attackers could have potentially taken advantage of an IDOR to access the SonicWall cloud service. An IDOR is a flaw in an API or web application that does not check authorization properly, allowing an attacker to access unauthorized data.

“Using this degree of access, a hacker could potentially modify firewall rules and/or VPN access, giving himself remote access to any organization,” Ken Munro, partner and founder of Pen Test Partners, told SC Media. “A hacker could inject ransomware, or any manner of other attacks. The IDOR allowed any user to be added to any group at any organization. All a user needed was his or her own account and they could add it to anyone else’s group through a public cloud service.”

In an email statement to SC Media, SonicWall said a vulnerability in its cloud-based product registration system was quickly researched, verified and promptly patched on August 26. About two weeks earlier, SonicWall said it had identified the reported vulnerability as part of its PSIRT program (the notification from Pen Test Partners) and rapidly created a fix that underwent full testing and certification.

SonicWall claims that at no time did it detect or become aware of any attempted exploitation of the vulnerability in the cloud-based product registration system. The company says the fix was successfully applied to the cloud system and says no action is required by end users.

But Munro claimed otherwise, saying that after several days of prodding, Pen Test Partners reached out to Sonic Wall CEO Bill Conner, who responded two hours after being contacted. The fix was then executed just two days later – 17 days after Pen Test Partners contacted the company.

“We should have not had to reach out to the CEO to get this issue accelerated,” Munro said. “There was only one part of the API that had the flaw. It should have been taken down, but instead it left the customer base exposed for at least 14 days. This patch should have been done very quickly.”

According to SonicWall, at the time of the initial discovery, the company reviewed previous connection data and determined that no account had been exploited and that there was extremely low risk of exploitation.

“A threat actor would require very specific account information and time to take advantage of the system,” the statement said. “And, any exploitation attempt would trigger an automated security alert to the legitimate account owner, as well as SonicWall’s security team, due to SonicWall’s layered security protocols.”

Tarik Saleh, senior security engineer and malware researcher at Domain Tools, said that such conflicts between security researchers and vendors over response times is very common.

Bug Bounty disclosures are a really beneficial program for both companies that participate in them and the white hat security researchers who dedicate their free time and energy to helping make the internet a more secure place,” said Saleh. “Unfortunately, we’ve seen conflicts between researchers and companies, and this is another example.”

Saleh said researchers don’t always have exposure to how companies operate with developing vulnerability fixes, doing exhaustive testing on fixes and getting them pushed to production. While Saleh said SonicWall could have done a better job to communicate with the researchers, it’s ultimately the vendor’s decision on how transparent they want to be with their incident response process, and disclosing that information to a researcher. 

“Generally speaking, 17 days to patch this type of vulnerability is far too long with the risk it poses to the huge customer base,” Saleh said. “It sounds like there’s a big room for improvement on how SonicWall’s PSIRT triages vulnerabilities reported to them, how they communicate and coordinate what fixes need to happen with appropriate teams, and how to engage researchers with more information to not leave them hanging.”

Rick Moy, vice president of marketing at Tempered Networks added that  SonicWall CEO Conner did a good job understanding the importance of the issue and acted quickly once the information was presented to him.

“That spreads the sense of urgency throughout the organization,” Moy said. “However, in 2020, an indirect secure object reference vulnerability on a cloud security service is hard to excuse since it’s been on the OWASP Top 10 since 2007. As security vendors, we need to hold ourselves to a higher standard.”