Digital Defense (DDI) disclosed the discovery of four security vulnerabilities found in the Dell SonicWALL Email Security virtual appliance application.
The appliance is frequently deployed as a perimeter device. Further, its affected web interface is often times configured to be externally accessible. By combining an authentication bypass and command execution flaw, full appliance compromise can be achieved including the ability to eavesdrop on inbound and outbound corporate email of organizations using the affected appliance.
The newly identified vulnerabilities require immediate attention due to the easily accessible web interface on an Internet or intranet-connected appliance for the application and the potential for unauthorized persons to access sensitive information.
If exploited by cybercriminals, the identified vulnerabilities may lead to sensitive information disclosure of administrative account password hash, arbitrary OS command execution and file deletion as ROOT, and full compromise of the virtual appliance.
Dell has released a rollup patch for the SonicWALL Email Security platform.
Authentication Bypass in DLoadReportsServlet
Impact: Sensitive information disclosure including config files and the SHA1 password hash for the admin account.
Vulnerability: The DLoadReportsServlet can be accessed via the http://IP/dload_reports URL without authentication. If any backups have been made via the web interface and the Email Security appliance is set as the storage location, they can be downloaded by supplying the path to the backup via the “snapshot” GET parameter which can be used to access any files stored in the backup directory or one of its sub-directories. The global settings backup file contains numerous config files, one which contains the current SHA1 password hash for the admin account.
Authenticated XML External Entity Injection in known_network_data_import.html
Impact: Information disclosure.
Vulnerability: The Configure Known Networks section of the web interface allows users to upload an XML file that contains known networks. This functionality can be abused to retrieve some files from the host running the SonicWALL Email Security software when the web interface tries to parse a crafted XML file.
Authenticated Remote Command Execution in manage_ftpprofile.html
Impact: Arbitrary OS command execution as root, full compromise of the virtual appliance.
Vulnerability: The SonicWALL Email Security appliance has an option to send backup files to a remote FTP server instead of storing them locally on the appliance. To use this functionality, the user would need to create an FTP profile which includes the FTP server address, port, username, password, and destination path. No sanitation is done on the user provided values for the username or password before they are saved for later use. Commands placed inside backticks or semicolons can be injected via the username or password parameters.
Authenticated Arbitrary File Deletion in policy_dictionary.html
Impact: Deletion of arbitrary files with root privileges, denial of service.
Vulnerability: Compliance dictionaries can be added and deleted via the web management interface. When a dictionary is selected for deletion the “save” method is called. This method first verifies that the dictionary selected for deletion is not in use before deleting the dictionary file from disk. The “save” method does not validate that the “selectedDictionary” POST parameter contains a valid dictionary before deleting the file. This allows an authenticated user to delete any files from the host that is running the SonicWALL Email Security software.