The Digital Defense, Inc. Vulnerability Research Team (VRT) has identified four previously undisclosed security vulnerabilities found in the Dell SonicWALL Email Security platform. Summary information for these flaws can be found below. Read the Full Technical details here.
Checks for the identified vulnerabilities are available now in Frontline™ Vulnerability Manager. Clients are encouraged to run a full vulnerability assessment which includes the checks for the vulnerabilities or run Scan Policy SonicWALL October 2016 Flaws
to check specifically for only the vulnerabilities identified in this advisory.
SonicWALL Email Security (virtual appliance)
Brief product description
: The Dell SonicWALL Email Security platform can be configured as a Mail Transfer Agent (MTA) or SMTP proxy and with spam protection, compliance scanning, anti-malware and anti-virus capabilities.
DDI-VRT-2016-69: Authentication Bypass in DLoadReportsServlet (High)
: Sensitive information disclosure including config files and the SHA1 password hash for the admin account.
The DLoadReportsServlet can be accessed via the https://<IP>/dload_reports URL without authentication. If any backups have been made via the web interface and the Email Security appliance is set as the storage location, they can be downloaded by supplying the path to the backup via the "snapshot" GET parameter which can be used to access any files stored in the backup directory or one of its sub-directories. The global settings backup file contains numerous config files, one which contains the current SHA1 password hash for the admin account.
DDI-VRT-2016-70: Authenticated XML External Entity Injection in known_network_data_import.html (High)
The Configure Known Networks section of the web interface allows users to upload an XML file that contains known networks. This functionality can be abused to retrieve some files from the host running the SonicWALL Email Security software when the web interface tries to parse a crafted XML file.
DDI-VRT-2016-71: Authenticated Remote Command Execution in manage_ftpprofile.html (High)
Arbitrary OS command execution as root, full compromise of the virtual appliance.
The SonicWALL Email Security appliance has an option to send backup files to a remote FTP server instead of storing them locally on the appliance. To use this functionality, the user would need to create an FTP profile which includes the FTP server address, port, username, password, and destination path. No sanitation is done on the user provided values for the username or password before they are saved for later use. Commands placed inside backticks or semicolons can be injected via the username or password parameters.
DDI-VRT-2016-72: Authenticated Arbitrary File Deletion in policy_dictionary.html (High)
Deletion of arbitrary files with root privileges, denial of service.
Compliance dictionaries can be added and deleted via the web management interface. When a dictionary is selected for deletion the "save" method is called. This method first verifies that the dictionary selected for deletion is not in use before deleting the dictionary file from disk. The "save" method does not validate that the "selectedDictionary" POST parameter contains a valid dictionary before deleting the file. This allows an authenticated user to delete any files from the host that is running the SonicWALL Email Security software.
Dell has addressed these vulnerabilities and released rollup patch 8.3.2 for the SonicWALL Email Security platform. The patch was made available to customers on October 3, 2016. Learn more at www.mysonicwall.com
Not sure if your organization is vulnerable?
Take DDI’s Free 21 Day Trial to Test the Strength of Your External Network.
To learn more about internal network scanning services, contact us