• Solutions
    • Solutions


    • Scan
    • Analyze
    • Score
    • Automate
    • What is on my network?
      Quickly, comprehensively and accurately assess endpoints and servers for operating system and application vulnerabilities.
    • Which assets are at risk, and what should I do about their vulnerabilities?
      Identify which assets are at risk and receive actionable intelligence to reduce workload and increase effectiveness.
    • How do I measure my overall risk and where should I focus remediation efforts?
      Benefit from a clear, easy-to-understand metric to determine your organization’s security posture.
    • How can I integrate Frontline vulnerability findings into my security workflow?
      Easily integrate discovered, analyzed, scored, and prioritized vulnerabilities into leading security workflow management platforms and SIEMs.
    • Test
    • Educate
    • Compliance
    • How do I assess where I’m exposed from an attacker’s perspective?
      Assess your “network attack surface” and your “personnel attack surface”.
    • How do I ensure all personnel are cognizant of risky “digital behavior”?
      Increase the security IQ of employees, contractors, and patrons to effectively defend against a security breach.
    • Am I meeting requisite compliance standards? Leverage the expertise of one of the world’s longest tenured PCI Approved Scanning Vendors (ASV) to achieve compliance AND an optimal level of security.
  • Cloud Subscriptions
    • Frontline Cloud Subscriptions


    • Frontline Advanced™
    • Frontline Pro™
    • Frontline PCI Pro™
    • Frontline Advanced is Digital Defense’s flagship vulnerability management offering. Powerful and effective, the service is delivered in a rich, affordable and easy to consume subscription.
    • Frontline Pro provides the same industry leading solution subscription as Frontline Advanced, but adds a Personal Security Analyst (PSA) to help lift the burden of vulnerability management.
    • Frontline Payment Card Industry-Professional (PCI-Pro) service guides businesses through the PCI Data Security Standards (DSS) requirements maze with security expertise and personalized recommendations to achieve compliance.

    • Frontline Pen Test™
    • Frontline WAS Advanced™
    • Frontline Pen Test offers a conveniently packaged sequence of periodic (and scheduled) pen tests into an annual subscription.
    • Frontline Web Application Scanning Advanced (WAS Advanced) as a subscription will provide the highest level of results through a system that is easily deployed and maintained.

  • Platform
    • Platform


    • Frontline RNA™
    • Frontline VM™
    • Frontline WAS™
    • Frontline Reconnaissance Network Appliance (RNA) is a preconfigured network based device used to perform network security assessments without requiring onsite staff.
    • Frontline Vulnerability Manager (VM) is the industry’s most comprehensive, accurate, and easy to use VM platform – bar none.
    • Frontline Web Application Scanning (WAS) has been developed to provide the highest level of dynamic web application testing results through a system that is easily deployed and maintained.

  • Network Security Technologies
    • Technologies


    • DDI NIRV™
    • DDI VRT™
    • DDI DNA™
    • DDI NIRV – the technology core of Frontline RNA™ – works on the principle of real-time event-based tuning. As it learns more about hosts and the network, NIRV adjusts its plugin sets and auditing mechanisms in real time – leading to far more accurate and complete scanning data.

    • While Digital Defense has achieved public acclaim for its superior vulnerability scanning, vulnerability management, and best practice consultative services, we are also actively involved in security threat research.
    • Digital Node Attribution (DNA) is the core technology within Frontline VM that eliminates network drift. As point in time scans from RNA are fed into Frontline Vulnerability Manager™,
  • Professional Services
    • Professional Services


    • Frontline Pen Test Project™
    • Frontline Social Test™
    • Frontline Cyber Threat Management™
    • Understanding and addressing network and host vulnerabilities is, of course, an essential element to strong information security.
    • Social engineering is a popular technique attackers use to gain access to your network and, ultimately, valuable information held by your organization.
    • Frontline Cyber Threat Management solutions offer organizations expert threat intelligence to evaluate their level of risk in the ‘open, deep and dark web’.

    • SecurED™ Training
    • TEAM™
    • Consultative Services
    • SecurED, an entertaining awareness training designed to optimize employee retention of serious security intelligence and best practices.
    • TEAM is a comprehensive online learning management system that helps you address Security Training, Education, and Awareness Module (TEAM™) to reduce risk.

    • As your organization grows in size and complexity, determining exposure to information asset risks becomes more challenging, as does your ability to identify threats and implement effective plans to address them.

  • Get a Quote

Today Digital Defense is publishing several high-impact vulnerabilities on the Dell SonicWall GMS platform that our vulnerability research team discovered and brought to the attention of Dell.  Dell has been extremely professional and worked diligently with Digital Defense engineering staff to understand, resolve and verify the fixes for these security issues.

 Dell has released fixes and customer advisories for these issues here: Sonicwall GMS

 Note these vulnerabilities are in the Sonicwall GMS command and control appliances which help administer other SonicWall SSL-VPN and Firewall platforms.  While we typically do not see these appliances and associated management protocols deployed on external network interfaces, given the high-severity of these flaws and the fact they allow full control of critical edge infrastructure we are recommending to clients who use these systems anywhere in their network architecture to sweep them for the presence of these flaws, on both their internal and external network segments.

Clients who currently use our Frontline VM platform, or prospects using our trial-system to check their external networks, can sweep for the presence of all of these issues by selecting the [SonicWall GMS July-2016 Flaws] scan-policy or by doing a full vulnerability assessment scan.  These are explicit network-checks so credentials are not required to check for the flaws.

Details of the vulnerabilities are as follows: 

Vendor: Dell

Product: SonicWALL Global Management System (GMS)

Versions Tested: 8.1 (Build: 8110.1197, the most recent available) virtual appliance

Link: http://www.sonicwall.com/products/sonicwall-gms/

Brief product description: SonicWALL GMS is a central management, reporting, and monitoring solution for SonicWALL appliances such as SSL VPNs and firewalls. It allows for control and management of all attached SonicWALL appliances.

 

Summary:

 

1. DDI-VRT-2016-55: Unauth root command injection via set_time_config method call

2. DDI-VRT-2016-56: Unauth root command injection via set_dns method call

3. DDI-VRT-2016-57: Hidden default account(s) with easily guessable password 

4. DDI-VRT-2016-58: Unauth XXE in GMC service

5. DDI-VRT-2016-59: Unauth XXE via AMF message

6. DDI-VRT-2016-60: Unauth modification of the virtual appliance networking info

 

Details:

 

Vulnerability: Unauthenticated Remote Command Execution with Root Privileges

Internal Tracking ID: DDI-VRT-2016-55(set_time_config)

Internal Tracking ID: DDI-VRT-2016-56(set_dns)

Impact: Complete compromise of the virtual appliance

 

Attack scenario: Using the command injection vulnerability, an attacker can gain a reverse root shell on the virtual appliance. Using this shell the attacker can obtain the data base credentials from /opt/GMSVP/data/sgmsConfig.xml. The database username and password are encrypted with a static key in the TEAV class that is located in /opt/GMSVP/Tomcat/shared/lib/sharedUtil.jar. Once the database credentials have been obtained, the admin password for the GMS management interface can be changed by logging into the sgmsdb database, and updating the PASSWORD column for ID=admin to a new hash value, such as 5f4dcc3b5aa765d61d8327deb882cf99 (password of “password”). Once the password for the admin user of the GMS interface has been obtained or changed, the attacker would gain control over all SonicWALL appliances being managed by the GMS appliance.

Details: The GMC service,on port 21009, can be used to get and set various networking options on the virtual appliance without authentication. This service accepts a method called set_time_config, which is used to set the timezone on the appliance, that can be leveraged to run arbitrary commands on the virtual appliance with the privileges of the running process, in this case, root. The command to be run is placed in the “timezone” XML element’s “value” field, the command should be placed inside backticks. The GMC service (/opt/GMSVP/Scheduler/gmc.jar) accepts the HTTP POST with the XML data, and forwards the XML portion, without validating the “timezone” value, of the request to the dispatcher service (/opt/vsa/bin/dispatcher) on port 8035. The dispatcher calls /opt/vsa/bin/timeSetup.sh and passes the attacker supplied timezone value to this script via the “–tz=” parameter. The command is executed on the command line before “timeSetup.sh” runs. Additionally, commands can be executed using the “set_dns” method and injecting the command into the “search_suffixes” value parameter while also using a validly formatted “nameservers” IP value, which is also not validated in the DispatcherHandler.class.

Vulnerable JAR: /opt/GMSVP/Scheduler/gmc.jar

Vulnerable Class: DispatcherHandler

 

 

Vulnerability: Hidden Default Account UT000000000000 with Easily Guessable Password

Internal Tracking ID: DDI-VRT-2016-57

Impact: This hidden account can be used to add non administrative users via the CLI Client that can be downloaded from the Console interface of the SGMS web application. The non-administrative user can then log into the web interfaces and change the password for the admin user, elevating their privilege to that of the admin user upon logging out and back in as the admin user with the new password. The would grant the attacker full control of the SGMS interface and all attached SonicWALL appliances.

 

Attack scenario: Attacker connects to the GMS server configured in the Console or All-in-one role and logins in as UT000000000000, password of “password”, localdomain, then runs addusers with an xml file that contains the user to be added with all permissions set to allow and granting the new users read/write access to the user management section of the SGMS Console. The attacker can now log into the GMS web interface as the new user, navigate to the Console, Management, Users and reset the password for the admin user. Then, the attacker logs out and back in as the admin user, granting them full control over the SGMS interface and all attached SonicWALL appliances.

 

Details: When the SGMS all-in-one or cluster is deployed, the user UT000000000000 is created in the sgmsdb database with a default password of “password”. This user can log into the SGMS web interface but is immediately prompted to reset the password which fails with a Java NullPointerException and prevents anything useful from happening. However, this user can login via the CLI Client which does not require the user to immediately change the password. The UT000000000000 has enough permissions to add non-administrative users to the SGM database and with all available permissions set to allow and read/write. This allows UT000000000000 to create a non-administrative user that can then log into the web interface and reset the password for the admin user to gain full access to the SGMS web interface. The following users are also present with a default password of “password” but do not have cli access: UT123456789100, UT123456789200, and UT123456789300.

 

 

Vulnerability: Unauthenticated XML External Entity Injection in the GMC Service

Internal Tracking ID: DDI-VRT-2016-58

Impact: Full compromise of the GMS interface and all attached SonicWALL appliances, arbitrary file retrieval with root privileges, and denial of service.

 

Attack scenario: Using the XXE injection, an attacker can retrieve /opt/GMSVP/data/sgmsConfig.xml which contains the encrypted database credentials, IP address and port for the GMS cluster database. These credentials can be easily decrypted using the static key from the TEAV class located in /opt/GMSVP/Tomcat/shared/lib/sharedUtil.jar. Once the database credentials have been obtained, the admin hash for the GMS web management interface can be obtained from the users table in the sgmsdb database, along with the hashes for all configured users in the GMS interface. Alternatively, this hash can be updated in the database and set to a new value, such as 5f4dcc3b5aa765d61d8327deb882cf99 (password of “password”). Once the password for the admin user of the GMS interface has been obtained or changed, the attacker would gain control over all SonicWALL appliances being managed by the GMS appliance.

 

Details: No authentication is required to exploit this vulnerability. The GMC service, on port 21009, is used to get and set various networking information on the appliance such as DNS and IP address via an HTTP POST request containing XML data. The GMC service is vulnerable to an XML external entity injection via a crafted XML message sent via an HTTP POST to the GMC service on port 21009. When the GMC service is created, it sets up an RPC receiver using the XmlRpcStreamServer class from xmlrpc-server-3.1.jar. This class creates a new XML reader using the newXMLReader method from the SAXParsers class located in xmlrpc-common-3.1.jar. However, it fails to explicitly disable DTD parsing, which is enabled by default.

Vulnerable JAR: /opt/GMSVP/etc/xmlrpc-server-3.1.jar

Vulnerable Class: XmlRpcStreamServer

 

 

Vulnerability: Unauthenticated XML External Entity Injection via Crafted AMF Message (CVE-2015-3269, Apache Flex BlazeDS library, flex-messaging-core.jar)

Internal Tracking ID: DDI-VRT-2016-59

Impact: Arbitrary file retrieval with root privileges, denial of service and potential for full compromise of the virtual appliance and all attached SonicWALL appliances.

 

Attack scenario: Using the XXE injection, an attacker can retrieve /opt/GMSVP/data/auth.txt or /var/lib/pwd which contain the current MD5 password hash for the admin user of the virtual appliance. Additionally, /opt/GMSVP/data/auth.txt contains the last several hashed passwords for the admin user. The auth.txt file is encrypted using a static key and functions from the TEAV class located in /opt/GMSVP/Tomcat/shared/lib/sharedUtil.jar. The current admin password hash is also stored in /var/lib/pwd and is not encrypted. Once the admin password has been recovered in an offline dictionary/brute force attack, the attacker can login to the appliance management web interface and can create and download a “Basic” backup of the virtual appliance which will contain sgmsConfig.xml. This XML file contains the IP, username and password for the GMS database server. The username and password are encrypted using the TEAV class, and can easily be decrypted with the same static key that was used to decrypt auth.txt. Once the database credentials have been obtained, the admin hash for the GMS web management interface can be obtained from the users table in the sgmsdb database, along with the hashes for all configured users in the GMS interface. Alternatively, this hash can be updated in the database and set to a new value, such as 5f4dcc3b5aa765d61d8327deb882cf99 (password of “password”). Once the password for the admin user of the GMS interface has been obtained or changed, the attacker would gain control over all SonicWALL appliances being managed by the GMS appliance.

 

Details: No authentication is required to exploit this vulnerability. The SonicWALL GMS web application uses the flex-messaging-core.jar to provide server side support for the Flash based portion of the GMS web application. The version of this library used by the GMS application does not prevent the use of XML external entities which allows an attacker to retrieve arbitrary text files from the virtual appliance with root privileges. This vulnerability can be exploited by sending an HTTP POST with the crafted AMF message to ports 80 and 8443 at one of the following URIs:

 

/sgms/messagebroker/securestreamingamf

/sgms/messagebroker/amf/streamingamf

/sgms/messagebroker/amfpolling

/sgms/messagebroker/amfsecure

/sgms/messagebroker/amf

 

Vulnerable JAR file: /opt/GMSVP/Tomcat/webapps/sgms/WEB-INF/lib/flex-messaging-core.jar

Vulnerable Class: XMLUtil

 

 

Vulnerability: Unauthenticated Network Configuration Changes via GMC Service

Internal Tracking ID: DDI-VRT-2016-60

Impact: Denial of service

Details: No authentication is required to exploit this vulnerability. The GMC service, on port 21009, accepts HTTP POST with XML method data to get and set various networking options for the GMS virtual appliance, and can also be used to reboot the appliance.The following methods can be called without authentication:

 

get_hostname

get_net_if

route

get_gw

get_dns

set_hostname

set_net_if

set_gw

set_dns

set_time_config

set_ntp

get_raid_info

reboot

get_sversion