Security hardware manufacturer SonicWall has fixed a critical vulnerability in the SonicOS security operating system that allows denial of service (DoS) attacks and could lead to remote code execution (RCE).
Tracked as CVE-2022-22274, the bug affects TZ Series entry-level desktop form factor next-generation firewalls (NGFW) for small- and medium-sized businesses (SMBs), Network Security Virtual (NSv series) firewalls designed to secure the cloud, and Network Security services platform (NSsp) high-end firewalls.
Exploitable remotely without authentication
Unauthenticated attackers can exploit the flaw remotely, via HTTP requests, in low complexity attacks that don’t require user interaction “to cause Denial of Service (DoS) or potentially results in code execution in the firewall.”
The SonicWall Product Security Incident Response Team (PSIRT) says there are no reports of public proof-of-concept (PoC) exploits, and it found no evidence of exploitation in attacks.
The company has released patches for all impacted SonicOS versions and firewalls and urged customers to update all affected products.
“SonicWall strongly urges organizations using impacted SonicWall firewalls listed below to follow the provided guidance,” the company said in a security advisory published on Friday.
NSv 10, NSv 25, NSv 50, Nsv 100, NSv 200, Nsv, 300, NSv 400, NSv 800, NSv 1600
6.5.4.4-44v-21-1452 and earlier
6.5.4.4-44v-21-1519 and higher
NSsp 15700 firewall gets hotfix, full patch in April
The only affected firewall still waiting for a patch against CVE-2022-22274 is the NSsp 15700 enterprise-class high-speed firewall.
While a hotfix is already available for those reaching out to the support team, SonicWall estimates that a full patch to block potential attacks targeting this firewall will be released in roughly two weeks.
“For NSsp 15700, continue with the temporary mitigation to avoid exploitation or reach out to the SonicWall support team who can provide you with a hotfix firmware (7.0.1-5030-HF-R844),” the company explained.
“SonicWall expects an official firmware version with necessary patches for NSsp15700 to be available in mid-April 2022.”
Temporary workaround available
SonicWall also provides a temporary workaround to remove the exploitation vector on systems that cannot be immediately patched.
As the security vendor explained, admins are required to only allow access to the SonicOS management interface to trusted sources.
“Until the [..] patches can be applied, SonicWall PSIRT strongly recommends that administrators limit SonicOS management access to trusted sources (and/or disable management access from untrusted internet sources) by modifying the existing SonicOS Management access rules (SSH/HTTPS/HTTP Management),” SonicWall added.
The updated access rules will ensure that the impacted devices “only allow management access from trusted source IP addresses.”
British-based cybersecurity vendor Sophos warned that a recently patched Sophos Firewall bug allowing remote code execution (RCE) is now actively exploited in attacks.
It enables remote attackers to bypass authentication via the firewall’s User Portal or Webadmin interface and execute arbitrary code.
The vulnerability was discovered and reported by an anonymous researcher who found that it impacts Sophos Firewall v18.5 MR3 (18.5.3) and older.
“Sophos has observed this vulnerability being used to target a small set of specific organizations primarily in the South Asia region,” the company said in an update to the original security advisory.
“We have informed each of these organizations directly. Sophos will provide further details as we continue to investigate.”
Hotfixes and workarounds
To address the critical bug, Sophos released hotfixes that should be automatically deployed to all vulnerable devices since the ‘Allow automatic installation of hotfixes’ feature is enabled by default.
However, hotfixes released for end-of-life versions of Sophos Firewall must manually upgrade to patch the security hole and defend against the ongoing attacks.
For these customers and those who have disabled automatic updates, there’s also a workaround requiring them to secure the User Portal and Webadmin interfaces by restricting external access.
“Customers can protect themselves from external attackers by ensuring their User Portal and Webadmin are not exposed to WAN,” Sophos added.
“Disable WAN access to the User Portal and Webadmin by following device access best practices and instead use VPN and/or Sophos Central for remote access and management.”
After toggling on automatic hotfix installation, Sophos Firewall will check for new hotfixes every thirty minutes and after restarts.
Patching your Sophos Firewall instances is critically important especially since they have been previously exploited in the wild, with threat actors abusing an XG Firewall SQL injection zero-day starting with early 2020.
Asnarök trojan malware was also used to exploit the same zero-day to try and steal firewall credentials from vulnerable XG Firewall instances.
Networking equipment maker Zyxel has pushed security updates for a critical vulnerability affecting some of its business firewall and VPN products that could enable an attacker to take control of the devices.
“An authentication bypass vulnerability caused by the lack of a proper access control mechanism has been found in the CGI program of some firewall versions,” the company said in an advisory published this week. “The flaw could allow an attacker to bypass the authentication and obtain administrative access to the device.”
The flaw has been assigned the identifier CVE-2022-0342 and is rated 9.8 out of 10 for severity. Credited with reporting the bug are Alessandro Sgreccia from Tecnical Service Srl and Roberto Garcia H and Victor Garcia R from Innotec Security.
The following Zyxel products are impacted –
USG/ZyWALL running firmware versions ZLD V4.20 through ZLD V4.70 (fixed in ZLD V4.71)
USG FLEX running firmware versions ZLD V4.50 through ZLD V5.20 (fixed in ZLD V5.21 Patch 1)
ATP running firmware versions ZLD V4.32 through ZLD V5.20 (fixed in ZLD V5.21 Patch 1)
VPN running firmware versions ZLD V4.30 through ZLD V5.20 (fixed in ZLD V5.21)
NSG running firmware versions V1.20 through V1.33 Patch 4 (Hotfix V1.33p4_WK11 available now, with standard patch V1.33 Patch 5 expected in May 2022)
While there is no evidence that the vulnerability has been exploited in the wild, it’s recommended that users install the firmware updates to prevent any potential threats.
CISA warns about actively exploited Sophos and Trend Micro flaws
The disclosure comes as both Sophos and SonicWall released patches this week to their firewall appliances to resolve critical flaws (CVE-2022-1040 and CVE-2022-22274) that could allow a remote attacker to execute arbitrary code on affected systems.
The critical Sophos firewall vulnerability, which has been observed exploited in active attacks against select organizations in South Asia, has since been added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities Catalog.
Also added to the list is a high-severity arbitrary file upload vulnerability in Trend Micro’s Apex Central product that could allow an unauthenticated remote attacker to upload an arbitrary file, resulting in code execution (CVE-2022-26871, CVSS score: 8.6).
“Trend Micro has observed an active attempt of exploitation against this vulnerability in-the-wild (ITW) in a very limited number of instances, and we have been in contact with these customers already,” the company said. “All customers are strongly encouraged to update to the latest version as soon as possible.”
Launched in “early preview” in November 2021 the next version of System Center is going to be released in the first quarter of 2022.
In this article, we’ll look at what’s new in each of the main components, Virtual Machine Manager, Operations Manager and Data Protection Manager and make some predictions around the finished product.
Virtual Machine Manager 2022
If you have a medium to large deployment of Hyper-V clusters, VMM is a must for management. Somewhat equivalent to vCenter in the VMware world this is the server product that lets you manage templates for VMs, including templates with multiple VMs (called a service) and other artefacts as well as automated deployments. VMM also manages your Software Defined Networking (SDN) stack and your backend storage (SANs and S2D). Notably, it also manages VMware virtualization hosts and clusters and can also integrate with Azure for light VM management.
SC Virtual Machine Manager 2022 Installation
There are a few new features in this version but the running theme throughout System Center 2022 (unless there’s a surprise reveal at GA) is that this is mostly about finishing little details and ensuring compatibility with current platforms. VMM 2022 runs on Windows Server 2022 and can manage Windows Server 2022 hosts.
On the networking side, the SDN stack gets support for dual-stack IPv4 and IPv6. You’ll need to be using the SDN v2 stack but that’s been where any new features have appeared since System Center 2016. In case you’re not familiar, up to System Center 2012R2 / Windows Server 2012R2 Microsoft built their own network virtualization stack and protocol but in 2016 they offered VXLan from VMware as an alternative. They also switched to an Azure inspired architecture where there’s a set of Network Controller VMs running on your cluster, managing all the virtualized networks. There are also Software Load Balancer VMs managing incoming network traffic, plus a Gateway providing connectivity from a virtualized network to the wider world. The dual-stack support covers all of these components, including site to site VPN (IPSec, GRE tunnel and L3 tunnels) so if your datacenter is adopting IPv6 – VMM is all ready to go. Note that you’ll need to provide both IPv4 and IPv6 address pools when setting this up.
VMM Logical Network with IPv4 and IPv6 subnets
The other big-ticket item is support for Azure Stack HCI (version 20H2 and 21H2) and Windows Server 2022. Note that VMM 2019 Update Release 3 (UR3) does provide support for Azure Stack HCI 20H2. If you missed our Windows Server 2022 webinar and haven’t heard of Azure Stack HCI realize that it’s got very little to do with Azure. This is a special version of Windows Server and Hyper-V that you cluster on top of Storage Spaces Direct (S2D) which you can then manage from Azure. The benefit of Azure Stack HCI is that all the latest features in Windows Server (and Hyper-V) are released for it (unlike “normal” Windows Server) and the downside is that you pay a subscription fee per core, per month, for it.
You can add existing Azure Stack HCI clusters, and you can also create new ones from within VMM. You can manage the entire VM lifecycle, set up VLAN based networks, deploy/manage the SDN controller and manage storage, creation of virtual disks and cluster shared volumes (CSVs) and application of storage QoS. There are new PowerShell cmdlets to handle Azure Stack HCI (Register-SCAzStackHCI).
Note that disaggregated Azure Stack HCI clusters (for Scale Out File Server, SOFS) aren’t supported, nor is Live Migration from an Azure Stack HCI cluster to a Windows Server cluster (although quick migration should work).
I installed the “early preview” on a Windows Server 2022 VM, and it works as advertised, with no visual differences from VMM 2019.
Operations Manager
Apart from VMM, I think SCOM is probably the strongest part of System Center. This venerable product keeps an eye on everything in your virtualized datacenter. Using Dell/HP/Lenovo servers? Just install the free management pack and you’ll get hardware monitoring, down to individual fans in your servers. The same goes for your networking and storage gear. Properly configured, SCOM provides visibility into your entire datacenter stack, from physical hardware to user-facing application code.
There are two new RBAC roles: Read-only Administrator which does what it says on the tin, including reporting. The Delegated Administrator profile doesn’t include report viewing but you can customize exactly what it should be able to do by adding one or more of:
Agent management
Account management
Connector Management
Global settings
Management pack authoring
Notification management
Operator permissions
Reporting permissions
If you have disabled NTLM in your organization, SCOM 2016/2019 reporting services are impacted, 2022 has a new authentication type (Windows Negotiate) that fixes this issue.
An interesting twist is the ability to choose the alert closure behavior, in 2019 you can’t close an alert when the underlying monitor is unhealthy, now you can choose to be able to close the alert and reset the monitor health, which will let you bulk close alerts. This brings back the behavior from earlier versions of SCOM. Alternatively, you can choose to stay with the 2019 behavior.
There are improvements to the upgrade process where registry key settings and custom install location of the Monitoring Agent is maintained when going from SCOM 2019 to 2022.
Alerts can now be sent to Teams channels, instead of Skype for Business.
SCOM can also monitor Azure Stack HCI deployments, using a new MP, which is actually a grouping of current Management Packs (BaseOS, Cluster, Hyper-V, SDN and Storage).
There are also some other minor fixes such as running the SCOM database on SQL Always On (no post configuration changes required), SHA256 encryption for certificates for the Linux agent, the FQDN source of alerts is now shown when tuning Management Packs and you can view the alert source for active alerts. Newer Linux distros such as Ubuntu20, Debian 10 and Oracle Linux 8 are also now supported for monitoring.
The dependency on the LocalSystem account on Management Servers has been removed and just like the other System Center components, SCOM 2022 runs on Windows Server 2022.
Data Protection Manager
Apart from running on Windows Server 2022, there are a few improvements in DPM. The main one (depending on your restore scenarios) is removing the requirement of file catalogue metadata for individual file and folder restores and instead uses an iSCSI based approach which improves backup times and restores.
If you’re using DPM to protect VMware vCenter you can now restore VMs in parallel, the default value is up to 8 VM simultaneously but you can up that limit with a simple registry change. Speaking of vCenter, VMware 7.0, 6.7 and 6.5 are supported and you can now separate the VDDK logs that relate to VMware operations from the rest of the DPM logs and store them in a user-defined file.
Another “big” improvement is the change of the maximum data storage for a DPM server from 120 TB to 300 TB. As before, it’s recommended to have tiered storage with a small amount of SSD cache and the rest hard-drive-based and use the ReFS file system.
Should you be Excited?
It seems that System Center Orchestrator will come in a 64-bit version although the bits weren’t part of the Early Preview, nor were System Center Service Manager 2022.
Overall, for me there’s nothing that we’ve covered in this article that’s a “must-have” to entice me to upgrade but if I’m upgrading to Windows Server 2022 anyway, or considering Azure Stack HCI, it’s a natural step.
I often express it like this – System Center is on life support. Microsoft isn’t looking to gain more market share against other datacenter management suites, they’re simply keeping System Center up to date and able to manage the latest OSs so that if you’re already a customer – you have a comfortable upgrade path. All System Center products also incorporate various levels of Azure/Microsoft 365 integration to tick the box of being “hybrid” and helping enterprises in their journey to the cloud.
The Ubiquiti UFiber modules are officially supported and compatible with all EdgeSwitch, EdgeRouter, UniFi Switch, UniFi Dream Machine Pro and UniFi Security Gateway models that have SFP or SFP+ ports. Multi-mode and single-mode SFP and SFP+ models are available, including single-mode BiDi models.
SKU (Model)
1G (SFP)
10G (SFP+)
25G
UF-MM-1GUF-SM-1G-S
UF-MM-10GUF-SM-10GUF-SM-10G-S
UF-RJ45-1G
UF-RJ45-10G
UDC-1 (1m)UDC-2 (2m)UDC-3 (3m)
*
UC-DAC-SFP+ (0.5m)
*
UC-DAC-SFP28 (0.5m)
**
*Ports can be set manually to 1000mbps for compatibility between SFP+ and SFP ports. | ***SFP28 to SFP28 (max data rate 25Gbps)
The list below includes third-party SFP/SFP+ transceivers that have been tested by community members. Please note that these should work, but we cannot assure that they will. Some modules will have multiple hardware revisions, and while one revision may work (i.e. 1.0), it’s possible that a newer revision (i.e. 1.1, 1.2, etc.) of the same module may not work.
The following SFP/SFP+ transceivers have been tested by community members, but may not work reliably. They are not recommended for use with UniFi switch.
TP-LINK TL-SM311LS ** may not work on newer firmware, may also depend on module version
TP-LINK TL-SM311LM ** may not work on newer firmware, may also depend on module version
This article provides tables with information on the supported Power over Ethernet (PoE) output and input modes for Ubiquiti UniFi Switches, Access Points, Cloud Keys and Cameras.NOTES & REQUIREMENTS:
See each device’s Datasheet, available in their store product page or in the Downloads section, for more information on the supported PoE modes.
See our PoE Adapters page for more information on Ubiquiti PoE adapters/injectors that can be used to power on devices.
One of the challenges with large PoE deployments is figuring out how to provide power to your UniFi Access Points. When you have many access points it becomes less viable to power devices using AC PoE injectors. With non-PoE capable switches, you can add a Midspan device which acts as a collection of individual PoE injectors by receiving Ethernet from the switch with only data being transmitted and adding power out over Ethernet through the connection. Such a piece of equipment takes up additional space on your rack, while also costing you a lot of money.
To help with such deployments, UniFi Switches come in a few different models with varying numbers of ports from 8, 16, 24 and 48. These switches are endspan devices as they act as both the switch and provide PoE to devices. UniFi switches give you greater functionality when used with the different UniFi Access Point (UAP), UniFi Dream Machine (UDM), and UniFi Security Gateway (USG) models, and cost well under the amount of the midspan device alone.
UniFi Switches – Supported PoE Output Modes
Ubiquiti devices use Active PoE output. This means that the voltage the Powered Device (PD) needs is negotiated. There are three output modes:
PoE: Uses IEEE 802.3af standard to deliver up to 15.4W.
PoE+: Uses IEEE 802.3at standard to deliver up to 30W.
PoE++: Uses IEEE 802.3bt standard to deliver up to 60W.
Different switches provide different output methods, so it’s important to learn what power method the UniFi switches support and compare it with the power method needed to power the different UniFi devices: eg. UniFi access points, cameras or Cloud Keys.
It’s important to note that each switch has a maximum power consumption which should be considered when powering multiple UniFi devices via PoE. For example, a US-16-150W has a 150W maximum power consumption, even though it has 16 ports. The UAP-HD has a maximum power consumption of 17W. Therefore, if you were to power 16 UAP-HD on a US-16-150W, there is a possibility that the wattage could exceed what the switch is capable of supplying in certain conditions. Find each device’s power consumption in their Datasheets, found in the Downloads page, within each product’s Documentation section.
NOTES: * The IW models only support PoE Pass-Through when powered by 802.3at.** UAP-AC-LRs with a date code prior to 1634 or board revision before 17 only support 24V passive PoE. *** UAP-AC-LITEs with a date code prior of 1634 or board revision before 33 only support 24V passive PoE.
Legacy Devices – Power Methods
Model
PoE
PoE+
PoE++
UAP
–
–
–
UAP-LR
–
–
–
UAP-PRO
–
–
UAP-AC
–
–
UAP-AC-Outdoor
–
–
UAP-Outdoor
–
–
–
UAP-Outdoor+
–
UAP-Outdoor5
–
–
–
UAP-IW
*
*
–
NOTE: * The UAP-IW only supports PoE Pass-Through when powered by 802.3at.
Use this article to compare the different antenna radiation patterns of our UniFi Access Points. For an explanation on how to read antenna radiation patterns see UniFi – Introduction to Antenna Radiation Patterns.
Radiation patterns can be used to better understand how each Ubiquiti UniFi access point model broadcasts wireless signal. These patterns are what antenna engineers call reciprocal—in that the transmit-power (the capability of the AP to ‘speak’) will be highest at the peaks, and so will the receive-sensitivity (the capability of the AP to ‘hear’).
Please note that these radiation patterns are gathered in a fully anechoic environment. Their shape, peak gain/directivity and efficiency will change in installed environments. Every deployment will behave differently due to interference, materials, geometries of structures, and how these materials behave at 2.4GHz and 5GHz.
With that in mind, use these radiation plots as a “general guide” to identify where most of the energy (and receive sensitivity) of the UniFi APs is being directed; but keep present that the ultimate way to know how successful the coverage design is—is to measure it. Measure signal strength and coverage before (with mock positioning), during (as you install), and after to guarantee that you have the coverage you want—and don’t have the coverage you don’t want (for example with self-interference: APs hearing each other or other AP stations on the same channel).
Radiation Plot Format
Radius represents ‘elevation’, with 0° representing antenna gain straight under the AP, and 90° representing antenna gain at horizon. The degrees on the circumference represent ‘Azimuth’. That is to say, left/right/front/back of the AP, when mounted overhead.
Comparison Table
Use this table to compare the radiation patterns of each UAP. The first column shows where the respective colored dots found in each radiation plot is placed in the actual devices. Note that colored dots in the plots might be in the outer perimeter or closer to center.
Note: Varying scales are represented in the graphs below. Consider each graph individually and take note of scale when comparing products.
This section includes a graphic summary for each UniFi Access point shown in the table above, portraying radiation plots for Azimuth, Elevation 0°, Elevation 90° and Mapped 3D.U6 Lite
U6 LR
U6 Pro
U6 Mesh
UWB-XG
High Gain
Low Gain
UDM
UAP-IW-HD
UAP-FlexHD
UAP-BeaconHD
UAP-nanoHD
UAP-HD
UAP-SHD
UAP-AC-Lite
UAP-AC-LR
UAP-AC-PRO
UAP-AC-IW
UAP-AC-IW-PRO
UAP-AC-M
Note: The antennas for the UAP-AC-M were angled at 45° to generate the plots as shown in the images above.UAP-AC-M-PRO
UMA-D
UAP-XG
Antenna Files (.ant)
Please note the data in the .ant files below was extracted from full model simulations. Clicking on the links in the following table will prompt the immediate download of the .ant file.
This article describes how to configure access policies (802.1X) on UniFi switches for wired clients. This article includes instructions on how to configure using the RADIUS server built-in to the UniFi Security Gateway and also UniFi Network configuration examples to point to your own authentication server. Every UniFi switch model is capable of authentication via 802.1X. The configuration does not change from model to model.
Note: Please complete the prerequisite configuration found in the UniFi – USG: Configuring RADIUS Server article before following this guide’s instructions.
This option is found on the switch properties panel under Config > Services in the Security section when selecting an individual switch from the “Devices” section of the UniFi Network application.
ATTENTION:Enabling access control is done a per switch basis. If this is not enabled, the switch will not be able to act as an authenticator to pass RADIUS messages to the RADIUS server.
Differentiating 802.1X Port Modes
Auto: The port is unauthorized until a successful authentication exchange has taken place.
Force Unauthorized: The port ignores supplicant authentication attempts and does not provide authentication services to the client
Force Authorized: The port sends and receives normal traffic without client port-based authentication.
MAC-Based: This mode allows multiple supplicants connected to the same port to each authenticate individually. Each host connected to the port must authenticate separately in order to gain access to the network. The hosts are distinguished by their MAC addresses.
Working with Port Profiles
Using port profiles for rapid deployment is recommended instead of applying 802.1X policies manually on each port.
Navigate to Settings > Profiles > Switch Ports.
Create a new profile with the desired 802.1X control.
NOTE:When using dynamic VLAN assignment on RADIUS the port profile must include each VLAN desired for use.