Today Digital Defense is publishing several high-impact vulnerabilities on the Dell SonicWall GMS platform that our vulnerability research team discovered and brought to the attention of Dell. Dell has been extremely professional and worked diligently with Digital Defense engineering staff to understand, resolve and verify the fixes for these security issues.
Dell has released fixes and customer advisories for these issues here: Sonicwall GMS
Note these vulnerabilities are in the Sonicwall GMS command and control appliances which help administer other SonicWall SSL-VPN and Firewall platforms. While we typically do not see these appliances and associated management protocols deployed on external network interfaces, given the high-severity of these flaws and the fact they allow full control of critical edge infrastructure we are recommending to clients who use these systems anywhere in their network architecture to sweep them for the presence of these flaws, on both their internal and external network segments.
Clients who currently use our Frontline VM platform, or prospects using our trial-system to check their external networks, can sweep for the presence of all of these issues by selecting the [SonicWall GMS July-2016 Flaws] scan-policy or by doing a full vulnerability assessment scan. These are explicit network-checks so credentials are not required to check for the flaws.
Details of the vulnerabilities are as follows:
Product: SonicWALL Global Management System (GMS)
Versions Tested: 8.1 (Build: 8110.1197, the most recent available) virtual appliance
Brief product description: SonicWALL GMS is a central management, reporting, and monitoring solution for SonicWALL appliances such as SSL VPNs and firewalls. It allows for control and management of all attached SonicWALL appliances.
1. DDI-VRT-2016-55: Unauth root command injection via set_time_config method call
2. DDI-VRT-2016-56: Unauth root command injection via set_dns method call
3. DDI-VRT-2016-57: Hidden default account(s) with easily guessable password
4. DDI-VRT-2016-58: Unauth XXE in GMC service
5. DDI-VRT-2016-59: Unauth XXE via AMF message
6. DDI-VRT-2016-60: Unauth modification of the virtual appliance networking info
Vulnerability: Unauthenticated Remote Command Execution with Root Privileges
Internal Tracking ID: DDI-VRT-2016-55(set_time_config)
Internal Tracking ID: DDI-VRT-2016-56(set_dns)
Impact: Complete compromise of the virtual appliance
Attack scenario: Using the command injection vulnerability, an attacker can gain a reverse root shell on the virtual appliance. Using this shell the attacker can obtain the data base credentials from /opt/GMSVP/data/sgmsConfig.xml. The database username and password are encrypted with a static key in the TEAV class that is located in /opt/GMSVP/Tomcat/shared/lib/sharedUtil.jar. Once the database credentials have been obtained, the admin password for the GMS management interface can be changed by logging into the sgmsdb database, and updating the PASSWORD column for ID=admin to a new hash value, such as 5f4dcc3b5aa765d61d8327deb882cf99 (password of “password”). Once the password for the admin user of the GMS interface has been obtained or changed, the attacker would gain control over all SonicWALL appliances being managed by the GMS appliance.
Details: The GMC service,on port 21009, can be used to get and set various networking options on the virtual appliance without authentication. This service accepts a method called set_time_config, which is used to set the timezone on the appliance, that can be leveraged to run arbitrary commands on the virtual appliance with the privileges of the running process, in this case, root. The command to be run is placed in the “timezone” XML element’s “value” field, the command should be placed inside backticks. The GMC service (/opt/GMSVP/Scheduler/gmc.jar) accepts the HTTP POST with the XML data, and forwards the XML portion, without validating the “timezone” value, of the request to the dispatcher service (/opt/vsa/bin/dispatcher) on port 8035. The dispatcher calls /opt/vsa/bin/timeSetup.sh and passes the attacker supplied timezone value to this script via the “–tz=” parameter. The command is executed on the command line before “timeSetup.sh” runs. Additionally, commands can be executed using the “set_dns” method and injecting the command into the “search_suffixes” value parameter while also using a validly formatted “nameservers” IP value, which is also not validated in the DispatcherHandler.class.
Vulnerable JAR: /opt/GMSVP/Scheduler/gmc.jar
Vulnerable Class: DispatcherHandler
Vulnerability: Hidden Default Account UT000000000000 with Easily Guessable Password
Internal Tracking ID: DDI-VRT-2016-57
Impact: This hidden account can be used to add non administrative users via the CLI Client that can be downloaded from the Console interface of the SGMS web application. The non-administrative user can then log into the web interfaces and change the password for the admin user, elevating their privilege to that of the admin user upon logging out and back in as the admin user with the new password. The would grant the attacker full control of the SGMS interface and all attached SonicWALL appliances.
Attack scenario: Attacker connects to the GMS server configured in the Console or All-in-one role and logins in as UT000000000000, password of “password”, localdomain, then runs addusers with an xml file that contains the user to be added with all permissions set to allow and granting the new users read/write access to the user management section of the SGMS Console. The attacker can now log into the GMS web interface as the new user, navigate to the Console, Management, Users and reset the password for the admin user. Then, the attacker logs out and back in as the admin user, granting them full control over the SGMS interface and all attached SonicWALL appliances.
Details: When the SGMS all-in-one or cluster is deployed, the user UT000000000000 is created in the sgmsdb database with a default password of “password”. This user can log into the SGMS web interface but is immediately prompted to reset the password which fails with a Java NullPointerException and prevents anything useful from happening. However, this user can login via the CLI Client which does not require the user to immediately change the password. The UT000000000000 has enough permissions to add non-administrative users to the SGM database and with all available permissions set to allow and read/write. This allows UT000000000000 to create a non-administrative user that can then log into the web interface and reset the password for the admin user to gain full access to the SGMS web interface. The following users are also present with a default password of “password” but do not have cli access: UT123456789100, UT123456789200, and UT123456789300.
Vulnerability: Unauthenticated XML External Entity Injection in the GMC Service
Internal Tracking ID: DDI-VRT-2016-58
Impact: Full compromise of the GMS interface and all attached SonicWALL appliances, arbitrary file retrieval with root privileges, and denial of service.
Attack scenario: Using the XXE injection, an attacker can retrieve /opt/GMSVP/data/sgmsConfig.xml which contains the encrypted database credentials, IP address and port for the GMS cluster database. These credentials can be easily decrypted using the static key from the TEAV class located in /opt/GMSVP/Tomcat/shared/lib/sharedUtil.jar. Once the database credentials have been obtained, the admin hash for the GMS web management interface can be obtained from the users table in the sgmsdb database, along with the hashes for all configured users in the GMS interface. Alternatively, this hash can be updated in the database and set to a new value, such as 5f4dcc3b5aa765d61d8327deb882cf99 (password of “password”). Once the password for the admin user of the GMS interface has been obtained or changed, the attacker would gain control over all SonicWALL appliances being managed by the GMS appliance.
Details: No authentication is required to exploit this vulnerability. The GMC service, on port 21009, is used to get and set various networking information on the appliance such as DNS and IP address via an HTTP POST request containing XML data. The GMC service is vulnerable to an XML external entity injection via a crafted XML message sent via an HTTP POST to the GMC service on port 21009. When the GMC service is created, it sets up an RPC receiver using the XmlRpcStreamServer class from xmlrpc-server-3.1.jar. This class creates a new XML reader using the newXMLReader method from the SAXParsers class located in xmlrpc-common-3.1.jar. However, it fails to explicitly disable DTD parsing, which is enabled by default.
Vulnerable JAR: /opt/GMSVP/etc/xmlrpc-server-3.1.jar
Vulnerable Class: XmlRpcStreamServer
Vulnerability: Unauthenticated XML External Entity Injection via Crafted AMF Message (CVE-2015-3269, Apache Flex BlazeDS library, flex-messaging-core.jar)
Internal Tracking ID: DDI-VRT-2016-59
Impact: Arbitrary file retrieval with root privileges, denial of service and potential for full compromise of the virtual appliance and all attached SonicWALL appliances.
Attack scenario: Using the XXE injection, an attacker can retrieve /opt/GMSVP/data/auth.txt or /var/lib/pwd which contain the current MD5 password hash for the admin user of the virtual appliance. Additionally, /opt/GMSVP/data/auth.txt contains the last several hashed passwords for the admin user. The auth.txt file is encrypted using a static key and functions from the TEAV class located in /opt/GMSVP/Tomcat/shared/lib/sharedUtil.jar. The current admin password hash is also stored in /var/lib/pwd and is not encrypted. Once the admin password has been recovered in an offline dictionary/brute force attack, the attacker can login to the appliance management web interface and can create and download a “Basic” backup of the virtual appliance which will contain sgmsConfig.xml. This XML file contains the IP, username and password for the GMS database server. The username and password are encrypted using the TEAV class, and can easily be decrypted with the same static key that was used to decrypt auth.txt. Once the database credentials have been obtained, the admin hash for the GMS web management interface can be obtained from the users table in the sgmsdb database, along with the hashes for all configured users in the GMS interface. Alternatively, this hash can be updated in the database and set to a new value, such as 5f4dcc3b5aa765d61d8327deb882cf99 (password of “password”). Once the password for the admin user of the GMS interface has been obtained or changed, the attacker would gain control over all SonicWALL appliances being managed by the GMS appliance.
Details: No authentication is required to exploit this vulnerability. The SonicWALL GMS web application uses the flex-messaging-core.jar to provide server side support for the Flash based portion of the GMS web application. The version of this library used by the GMS application does not prevent the use of XML external entities which allows an attacker to retrieve arbitrary text files from the virtual appliance with root privileges. This vulnerability can be exploited by sending an HTTP POST with the crafted AMF message to ports 80 and 8443 at one of the following URIs:
Vulnerable JAR file: /opt/GMSVP/Tomcat/webapps/sgms/WEB-INF/lib/flex-messaging-core.jar
Vulnerable Class: XMLUtil
Vulnerability: Unauthenticated Network Configuration Changes via GMC Service
Internal Tracking ID: DDI-VRT-2016-60
Impact: Denial of service
Details: No authentication is required to exploit this vulnerability. The GMC service, on port 21009, accepts HTTP POST with XML method data to get and set various networking options for the GMS virtual appliance, and can also be used to reboot the appliance.The following methods can be called without authentication: