• Solutions
    • Solutions


    • Scan
    • Analyze
    • Score
    • Automate
    • What is on my network?
      Quickly, comprehensively and accurately assess endpoints and servers for operating system and application vulnerabilities.
    • Which assets are at risk, and what should I do about their vulnerabilities?
      Identify which assets are at risk and receive actionable intelligence to reduce workload and increase effectiveness.
    • How do I measure my overall risk and where should I focus remediation efforts?
      Benefit from a clear, easy-to-understand metric to determine your organization’s security posture.
    • How can I integrate Frontline vulnerability findings into my security workflow?
      Easily integrate discovered, analyzed, scored, and prioritized vulnerabilities into leading security workflow management platforms and SIEMs.
    • Test
    • Educate
    • Compliance
    • How do I assess where I’m exposed from an attacker’s perspective?
      Assess your “network attack surface” and your “personnel attack surface”.
    • How do I ensure all personnel are cognizant of risky “digital behavior”?
      Increase the security IQ of employees, contractors, and patrons to effectively defend against a security breach.
    • Am I meeting requisite compliance standards?
      Leverage the expertise of one of the world’s longest tenured PCI Approved Scanning Vendors (ASV) to achieve compliance AND an optimal level of security.
  • Cloud Subscriptions
    • Frontline Cloud Subscriptions


    • Frontline Advanced™
    • Frontline Pro™
    • Frontline PCI Pro™
    • Frontline Pen Test™
    • Frontline Advanced is Digital Defense’s flagship vulnerability management offering. Powerful and effective, the service is delivered in a rich, affordable and easy to consume subscription.
    • Frontline Pro provides the same industry leading solution subscription as Frontline Advanced, but adds a Personal Security Analyst (PSA) to help lift the burden of vulnerability management.
    • Frontline Payment Card Industry-Professional (Frontline PCI-Pro) service guides businesses through the PCI Data Security Standards (DSS) requirements maze with security expertise and personalized recommendations to achieve compliance.
    • Frontline Pen Test offers a conveniently packaged sequence of periodic (and scheduled) pen tests into an annual subscription.
  • Platform
    • Platform


    • Frontline RNA™
    • Frontline VM™
    • Frontline Reconnaissance Network Appliance (RNA) is a preconfigured network based device used to perform network security assessments without requiring onsite staff.
    • Frontline Vulnerability Manager (VM) is the industry’s most comprehensive, accurate, and easy to use VM platform – bar none.
  • Technologies
    • Technologies


    • DDI NIRV™
    • DDI VRT™
    • DDI DNA™
    • DDI NIRV – the technology core of Frontline RNA™ – works on the principle of real-time event-based tuning. As it learns more about hosts and the network, NIRV adjusts its plugin sets and auditing mechanisms in real time – leading to far more accurate and complete scanning data.
    • While Digital Defense has achieved public acclaim for its superior vulnerability scanning, vulnerability management, and best practice consultative services, we are also actively involved in security threat research.
    • Digital Node Attribution (DNA) is the core technology within Frontline VM that eliminates network drift. As point in time scans from RNA are fed into Frontline Vulnerability Manager™,
  • Professional Services
    • Professional Services


    • Frontline Pen Test Project™
    • Frontline Social Test™
    • SecurED™ Training
    • Understanding and addressing network and host vulnerabilities is, of course, an essential element to strong information security.
    • Social engineering is a popular technique attackers use to gain access to your network and, ultimately, valuable information held by your organization.
    • SecurED, an entertaining awareness training designed to optimize employee retention of serious security intelligence and best practices.
    • TEAM™
    • Consultative Services
    • As your organization grows in size and complexity, determining exposure to information asset risks becomes more challenging, as does your ability to identify threats and implement effective plans to address them.
    • As your organization grows in size and complexity, determining exposure to information asset risks becomes more challenging, as does your ability to identify threats and implement effective plans to address them.
  • Get a Quote

Vendor: Dell
Product: SonicWALL Email Security (virtual appliance)
Version: 8.3.0.6149

 

Summary Information:
SonicWALL Email Security can be configured as a Mail Transfer Agent (MTA) or SMTP proxy and has spam protection, compliance scanning, anti-malware and anti-virus capabilities.  The affected web interfaces for these vulnerabilities are frequently available on externally accessible perimeter interfaces.  By combining the authentication bypass and command execution vectors, full appliance compromise can be achieved including the ability to snoop inbound/outbound corporate email.

 

DDI-VRT-2016-69: Authentication Bypass in DLoadReportsServlet
DDI-VRT-2016-70: Authenticated XML External Entity Injection in known_network_data_import.html
DDI-VRT-2016-71: Authenticated Remote Command Execution in manage_ftpprofile.html
DDI-VRT-2016-72: Authenticated Arbitrary File Deletion in policy_dictionary.html

 


Details:

DDI-VRT-2016-69: Authentication Bypass in DLoadReportsServlet
Impact: Sensitive information disclosure including config files and the SHA1 password hash for the admin account.
Details: The DLoadReportsServlet can be accessed via the http://<IP>/dload_reports URL without authentication. If any backups have been made via the web interface and the Email Security appliance is set as the storage location, they can be downloaded by suppling the path to the backup via the “snapshot” GET parameter. This GET parameter can be used to access any files stored in the /opt/emailsecurity/data/backup directory or one of its sub-directories. The backup file names are generated when the backup is created and includes a datetime stamp that would make them hard to find without additional information, for example, es_snwl_globalsettings_20160730001957_v8.3.0.6149.zip. However, there is a metadata file that contains the name of the backup files that can be downloaded by specifying the following path for the “snapshot” parameter, /opt/emailsecurity/data/backup/snwl/backupsnapshot_metadata.log. The global settings backup file contains numerous config files, including multi_accounts.xml, which contains the current SHA1 password hash for the admin account.

 

DDI-VRT-2016-70: Authenticated XML External Entity Injection in known_network_data_import.html
Impact: Information disclosure
Details: The Configure Known Networks section of the web interface allows users to upload an XML file that contains known networks. This functionality can be abused to retrieve some files from the host running the SonicWALL Email Security software when the web interface tries to parse a crafted XML file. The KnownNetworkImportAction class manages the known networks file upload and calls the doImport method from this class to start the file import. From here, the doImport method creates a new KnownNetworkDataManager object to read in and parse XML file using the readInputStream method from the XMLManagerW3CDom4J class. The readInputStream method in the XMLManagerW3CDom4J class fails to explicitly disable DTD parsing, which is enabled by default, when using the DocumentBuilderFactory to parse the user controlled XML file.

 

DDI-VRT-2016-71: Authenticated Remote Command Execution in manage_ftpprofile.html
Impact: Arbitrary OS command execution as root, full compromise of the virtual appliance.
Details: The SonicWALL Email Security appliance has an option to send backup files to a remote FTP server instead of storing them locally on the appliance. To use this functionality, the user would need to create an FTP profile which includes the FTP server address, port, username, password, and destination path. The FTPProfileAction class handles the saving of the FTP profile via the saveFTPProfile method which will save the FTP profile to /opt/emailsecurity/data/backupconfig.xml config file. No sanitation is done on the user provided values for the username or password before they are saved for later use. When a manual backup is performed, these user provided values are used by mlfworkr to run ncftpput using “sh -c” with the FTP profile information from backupconfig.xml. Commands should be placed inside backticks or semicolons and can be injected via the username or password parameters.

 

DDI-VRT-2016-72: Authenticated Arbitrary File Deletion in policy_dictionary.html
Impact: Deletion of arbitrary files with root privileges, denial of service
Details: Compliance dictionaries can be added and deleted via the web management interface. When a dictionary is selected for deletion the PolicyDictionaryAction class “save” method is called. This method first verifies that the dictionary selected for deletion is not in use before deleting the dictionary file from disk using the “deleteDictionaries” method from the DictionaryManager class. The “save” method in the PolicyDictionaryAction class does not validate that the “selectedDictionary” POST parameter contains a valid dictionary before deleting the file. This allows an authenticated user to delete any files from the host that is running the SonicWALL Email Security software.

 

favicon