SonicWALL Email Security appliance flaws could expose corporate emails

Dell issued the SonicWALL Email Security OS 8.3.2 release to address high severity issues that can be exploited to take control of the appliance.

Security researchers at Digital Defense discovered multiple vulnerabilities while assessed the SonicWALL Email Security virtual appliance (Version 8.3.0.6149). According to the experts. The flaws could be exploited by attackers to conduct a wide range of malicious activities, including command injection, arbitrary file deletion, denial-of-service (DoS) and information disclosure.

Below the list of vulnerabilities discovered by the experts at the Digital Defense, Inc. Vulnerability Research Team (VRT).

DDI-VRT-2016-69: Authentication Bypass in DLoadReportsServlet (High)

The attacker can access backup files that include also the SHA-1 hash of the administrator account password.

“The DLoadReportsServlet can be accessed via the http://<IP>/dload_reports URL without authentication. If any backups have been made via the web interface and the Email Security appliance is set as the storage location, they can be downloaded by supplying the path to the backup via the “snapshot” GET parameter which can be used to access any files stored in the backup directory or one of its sub-directories. ” reads the analysis published by the experts.

DDI-VRT-2016-70: Authenticated XML External Entity Injection in known_network_data_import.html (High)

The experts discovered that it is possible to launch an XML External Entity (XXE) injection attack to steal sensitive data.

DDI-VRT-2016-71: Authenticated Remote Command Execution in manage_ftpprofile.html (High)

This issue could be exploited by an attacker to send backup files to a remote FTP server.

“The SonicWALL Email Security appliance has an option to send backup files to a remote FTP server instead of storing them locally on the appliance. To use this functionality, the user would need to create an FTP profile which includes the FTP server address, port, username, password, and destination path. No sanitation is done on the user provided values for the username or password before they are saved for later use. Commands placed inside backticks or semicolons can be injected via the username or password parameters.” states the analysis published by Digital Defense.

DDI-VRT-2016-72: Authenticated Arbitrary File Deletion in policy_dictionary.html (High)

The flaw allows attackers to delete arbitrary files with root privileges and trigger DoS conditions.
The researchers discovered that a bug in the way compliance dictionaries are managed via web interface allows authenticated attackers to select any files and delete them.

“When a dictionary is selected for deletion the “save” method is called. This method first verifies that the dictionary selected for deletion is not in use before deleting the dictionary file from disk. The “save” method does not validate that the “selectedDictionary” POST parameter contains a valid dictionary before deleting the file. This allows an authenticated user to delete any files from the host that is running the SonicWALL Email Security software.” states the advisory.

The researchers explained that flawed SonicWALL Email Security virtual appliance could be always configured for external access, this means that remote attackers can take complete control of it by combining the authentication bypass and command execution flaws.

The full control over the SonicWALL Email Security virtual appliance could be exploited to capture inbound and outbound emails of the organization.

Dell has patched the issued with the new SonicWALL Email Security OS 8.3.2 release.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – SonicWALL Email Security, hacking)