The Digital Defense, Inc. (DDI) Vulnerability Research Team (VRT) has identified six previously undisclosed vulnerabilities in the Dell SonicWALL Global Management System (GMS). GMS is typically found deployed on the internal network, however, external implementations are possible.
Product: SonicWALL Global Management System (GMS)
Versions Tested: 8.1 (Build: 8110.1197, the most recent available) virtual appliance
Brief product description: SonicWALL GMS is a central management, reporting, and monitoring solution for SonicWALL appliances such as SSL VPNs and firewalls. It allows for control and management of all attached SonicWALL appliances.
DDI-VRT-2016-55: Unauth root command injection via set_time_config method call (Critical)
DDI-VRT-2016-56: Unauth root command injection via set_dns method call (Critical)
Vulnerability: Unauthenticated Remote Command Execution with Root Privileges
Impact: Using the command injection vulnerability an attacker can gain a reverse root shell on the virtual appliance allowing the attacker to obtain database credentials and change the password for the admin user of the GMS interface allowing complete compromise of the virtual appliance.
DDI-VRT-2016-57: Hidden default account(s) with easily guessable password (Critical)
Vulnerability: Hidden Default Account with Easily Guessable Password
Impact: This hidden account can be used to add non administrative users via the CLI Client that can be downloaded from the Console interface of the GMS web application. The non-administrative user can then log into the web interfaces and change the password for the admin user, elevating their privilege to that of the admin user upon logging out and back in as the admin user with the new password. This would grant the attacker full control of the GMS interface and all attached SonicWALL appliances.
DDI-VRT-2016-58: Unauth XXE in GMC service (Critical)
Vulnerability: Unauthenticated XML External Entity Injection (XXE) in the GMC Service
Impact: The XXE injection can be utilized to retrieve encrypted database credentials, IP address and port for the GMS cluster database and utilizing the obtainable static key to decrypt and change the admin password to the GMS web interface admin account. An attacker can gain full compromise of the GMS interface and all attached SonicWALL appliances, arbitrary file retrieval with root privileges, and denial of service. No authentication is required to exploit this vulnerability.
DDI-VRT-2016-59: Unauth XXE via AMF message (High)
Vulnerability: Unauthenticated XML External Entity Injection via Crafted AMF Message
Impact: Using the XXE injection, an attacker can retrieve the current MD5 password hash for the admin user of the virtual appliance and the last several hashed passwords for the admin user. No authentication is required to exploit this vulnerability.
DDI-VRT-2016-60: Unauth modification of the virtual appliance networking info (Medium)
Vulnerability: Unauthenticated Network Configuration Changes via GMC Service
Impact: A denial of service condition can be initiated by sending a HTTP POST with XML method data to get and set various networking options for the GMS virtual appliance which can then be used to reboot the appliance. No authentication is required to exploit this vulnerability.
Checks for each of the identified vulnerabilities* are available now in Frontline™ Vulnerability Manager. Clients are encouraged to run a full vulnerability assessment which includes the checks for the Dell SonicWALL GMS vulnerabilities or run Scan Policy SonicWALL GMS July 2016 Flaws to check specifically for only the vulnerabilities identified in this advisory.
*There is no check for DDI-VRT-2016-56: Unauth root command injection via set_dns method call (Critical) as checking for this condition would alter the GMS interface in a way that could not be reversed. However, users should assume their GMS platforms are affected if other identified vulnerabilities are present.
Dell has addressed these vulnerabilities and released patches for the software at www.mysonicwall.com. Please refer to the following page for specific instructions on how to obtain and apply the update:
Users who are unable to apply patches to the affected systems can attempt to mitigate some of the risk posed by these exploit vectors by limiting access to the network services of their SonicWALL GMS appliances to restricted-access internal network segments or dedicated VLANs.
Additional details regarding the attack vector associated with these flaws will be available following the public disclosure of the vulnerabilities on July 20, 2016 on the DDI Blog.
Take DDI’s Free 21 Day Trial to Test the Strength of Your External Network.
To learn more about internal network scanning services, contact us.