Vendor: Dell
Product: SonicWALL Email Security (virtual appliance)
Version: 8.3.0.6149
Summary Information:
SonicWALL Email Security can be configured as a Mail Transfer Agent (MTA) or SMTP proxy and has spam protection, compliance scanning, anti-malware and anti-virus capabilities. The affected web interfaces for these vulnerabilities are frequently available on externally accessible perimeter interfaces. By combining the authentication bypass and command execution vectors, full appliance compromise can be achieved including the ability to snoop inbound/outbound corporate email.
DDI-VRT-2016-69: Authentication Bypass in DLoadReportsServlet
DDI-VRT-2016-70: Authenticated XML External Entity Injection in known_network_data_import.html
DDI-VRT-2016-71: Authenticated Remote Command Execution in manage_ftpprofile.html
DDI-VRT-2016-72: Authenticated Arbitrary File Deletion in policy_dictionary.html
Details:
DDI-VRT-2016-69: Authentication Bypass in DLoadReportsServlet
Impact: Sensitive information disclosure including config files and the SHA1 password hash for the admin account.
Details: The DLoadReportsServlet can be accessed via the https://<IP>/dload_reports URL without authentication. If any backups have been made via the web interface and the Email Security appliance is set as the storage location, they can be downloaded by suppling the path to the backup via the "snapshot" GET parameter. This GET parameter can be used to access any files stored in the /opt/emailsecurity/data/backup directory or one of its sub-directories. The backup file names are generated when the backup is created and includes a datetime stamp that would make them hard to find without additional information, for example, es_snwl_globalsettings_20160730001957_v8.3.0.6149.zip. However, there is a metadata file that contains the name of the backup files that can be downloaded by specifying the following path for the "snapshot" parameter, /opt/emailsecurity/data/backup/snwl/backupsnapshot_metadata.log. The global settings backup file contains numerous config files, including multi_accounts.xml, which contains the current SHA1 password hash for the admin account.
DDI-VRT-2016-70: Authenticated XML External Entity Injection in known_network_data_import.html
Impact: Information disclosure
Details: The Configure Known Networks section of the web interface allows users to upload an XML file that contains known networks. This functionality can be abused to retrieve some files from the host running the SonicWALL Email Security software when the web interface tries to parse a crafted XML file. The KnownNetworkImportAction class manages the known networks file upload and calls the doImport method from this class to start the file import. From here, the doImport method creates a new KnownNetworkDataManager object to read in and parse XML file using the readInputStream method from the XMLManagerW3CDom4J class. The readInputStream method in the XMLManagerW3CDom4J class fails to explicitly disable DTD parsing, which is enabled by default, when using the DocumentBuilderFactory to parse the user controlled XML file.
DDI-VRT-2016-71: Authenticated Remote Command Execution in manage_ftpprofile.html
Impact: Arbitrary OS command execution as root, full compromise of the virtual appliance.
Details: The SonicWALL Email Security appliance has an option to send backup files to a remote FTP server instead of storing them locally on the appliance. To use this functionality, the user would need to create an FTP profile which includes the FTP server address, port, username, password, and destination path. The FTPProfileAction class handles the saving of the FTP profile via the saveFTPProfile method which will save the FTP profile to /opt/emailsecurity/data/backupconfig.xml config file. No sanitation is done on the user provided values for the username or password before they are saved for later use. When a manual backup is performed, these user provided values are used by mlfworkr to run ncftpput using "sh -c" with the FTP profile information from backupconfig.xml. Commands should be placed inside backticks or semicolons and can be injected via the username or password parameters.
DDI-VRT-2016-72: Authenticated Arbitrary File Deletion in policy_dictionary.html
Impact: Deletion of arbitrary files with root privileges, denial of service
Details: Compliance dictionaries can be added and deleted via the web management interface. When a dictionary is selected for deletion the PolicyDictionaryAction class "save" method is called. This method first verifies that the dictionary selected for deletion is not in use before deleting the dictionary file from disk using the "deleteDictionaries" method from the DictionaryManager class. The "save" method in the PolicyDictionaryAction class does not validate that the "selectedDictionary" POST parameter contains a valid dictionary before deleting the file. This allows an authenticated user to delete any files from the host that is running the SonicWALL Email Security software.