Dell recently distributed a hotfix that addresses vulnerabilities found in the Dell SonicWALL Global Management System (GMS) and SonicWALL Analyzer, versions 8.0 and 8.1. Both solutions are typically installed on PCs distributed in corporations and businesses, the former of which is used to manage, report, and monitor SonicWALL appliances like SSL VPNs and firewalls. Analyzer provides web-based network traffic analysis and reporting tools.
“Vulnerabilities were found pertaining to command injection, unauthorized XXE, default account, and unauthorized modification of virtual appliance networking information,” the company states. “To fix these vulnerabilities, Dell highly recommends that existing users of Dell SonicWALL GMS and Analyzer Hotfix 174525.”
The vulnerabilities in Dell’s two SonicWALL solutions were uncovered by Digital Defense Incorporated. This company was founded in 1999, and provides managed security assessment solutions for small businesses and Fortune companies alike in over 65 countries. The firm actually discovered up to six vulnerabilities just in Dell’s SonicWALL GMS service alone.
According to the security firm, the vulnerabilities include unauthenticated remote command execution with root privileges, a hidden default account with an easily guessable password, an unauthenticated XML External Entity (XXE) injection in the GMC service, an unauthenticated XML External Entity (XXE) injection via a crafted AMF message, and unauthenticated network configuration changes via the GMC service.
For instance, if the attacker uses the command injection vulnerability, the crafty individual can gain a reverse root shell on the virtual appliance. This enables the attacker to grab database credentials and change the password, preventing the administrator of the GMS to access the interface and giving the attacker full control over the virtual appliance.
As for the hidden account, this can be used to add non-administrative users through the CLI Client made available to download through the GMS web application. These users can then log onto the web interfaces and change the administrator’s password. Their privileges can thus be elevated by logging out and logging back in as administrator with a new password. That means full control of the GMS interface and all connected SonicWALL appliances.
As for some of the other vulnerabilities, hackers could use XXE injection to retrieve encrypted database credentials and IP addresses, and use a static key to decrypt and change the administrator’s password. XXE injection could also be used to retrieve the current MD5 password hash for the administrator of the virtual appliance. The last several hashed passwords for the administrator can be obtained too.
“Users who are unable to apply patches to the affected systems can attempt to mitigate some of the risk posed by these exploit vectors by limiting access to the network services of their SonicWALL GMS appliances to restricted-access internal network segments or dedicated VLANs,” the firm reports.
Top get the hotfix from Dell, customers can simply download it from here. Just log onto MySonicWALL, click on “Downloads” and then “Download Center” in the navigation panel on the left. After that, choose “GMS / Analyzer – Virtual Appliance” or “GMS / Analyzer – Windows” in the drop down menu labeled “Software Type.” After that, follow the release notes for detailed instructions on how to install the hotfix.
For a detailed accounting of each vulnerability that’s now patched by Dell, check out Digital Defense’s blog right here.