Update: 24 Oct 2011 =================== After reading the Sonicwall analysis of our report, the severity rating has been updated from Medium to Low in two of the three vulnerabilities: 1.- SonicOS Management SessionID  Brute Force Vulnerability: "As SonicOS validates both the management SessionID and the management Source IP address used to establish the management session, any attempt at a brute force attack on the management SessionID can only be originated from the Source IP used by an active session of a legitimate Administrator." 2.- Preview of Custom Web Page Vulnerability: We have changed the severity rating from Medium to Low, even if we think that Sonicwall does not correctly understand the potential risk of that vulnerability. Quoting the Sonicwall analysis: "Incorrect coding by the legitimate administrator can leads to traditional attacks like XSS, session hijacking, etc.  This vulnerability requires the authenticated administrator to post malicious JavaScript code into the firewall." This is not the real risk. The real risk of ANY code injection is the possibility of a third party -attacker- injecting code. That can be achieved in many ways and has been covered in the last 10 years in too much papers. And of course, self injecting malicius code in your application is not a vulnerability... Anyway, analyzing the way that the Sonicwall manages HTTP sessions and the fact that the code should be injected fooling an administrator, we agree that severity should be considered Low. You can read more about Sonicwall analysis here: http://www.sonicwall.com/shared/download/SonicWALL_Analysis_of_PenTest_Vulnerability_Reports_100611.pdf Warning: The ARP Spoofing vulnerability is still considered HIGH. Update: 06 Oct 2011 =================== New Firmware available: http://www.sonicwall.com/shared/download/Medium_Severity_Vulnerabilities_Instructions.pdf MAC Spoofing vulnerability still being tested. ------------------------------- Update: 05 Oct 2011 =================== Today we have been contacted by the SonicWall team. Contact from vendor was lightning fast and as far we know they are working hard to deliver software patches to their customers. After ten years of vulnerabilities disclosure, we can said this is the most professional reaction we have ever seen before, not only for their fast movement but specially for the smart and gentle way of dealing with the topic. ------------------------------- Title: ====== SonicWall products with incompatible MAC spoofing protection Date: ===== 2011-09-29 Introduction: ============= The SonicWall NSA 4500 product has a MAC spoofing protection option that can be activated in wireless networks per ESSID basis. This protection will not work if the acces point is a Sonicpoint. No warning or notice is presented to the administrator, wich means that protection will be active but not working. This vulnerability has been detected while pentesting a customer WIFI deployment with that configuration: SonicWall NSA 4500 + SonicWall Sonicpoints. Report-Timeline: ================ 2011-09-26: Vendor Notification 2011-09-28: Vendor Final Response The vendor has confirmed the bug via customer support response. Affected Products: ================== SonicWall NSA 4500 + SonicWall Sonicpoints Exploitation-Technique: ======================= Common ARP spoofing attacks. Severity: ========= High. Customers don't know they are unprotected even if they have the MAC spoofing activated. Details: ======== --------------------------------------------------------------------------------------- Title: ====== SonicWall web admin interface múltiple code injection vulnerabilities Date: ===== 2011-09-29 Introduction: ============= The SonicWall NSA 4500 web admin interface offers the option of customize some web pages directly from the admin interface. For this, the web interface has some forms where the admin can put the code and test it via a preview feature. This preview feature will show the page and execute all the javascript code inside it in the web admin security context, wich leads to many traditional attacks, like XSS, session hijacking... Report-Timeline: ================ Not reported. Affected Products: ================== SonicWall NSA 4500 Exploitation-Technique: ======================= Common code injection techniques (XSS) Severity: ========= Low. Details: ======== To reproduce the flaw, just go to main.html, Users->Settings and in the "Login page content" put whatever code you want and it will be executed in the admin context. This behaviour is a dangerous feature of the web admin interface, because it can be exploited and triggered in several ways by an attacker. There are other fields other than "Login page content" that can be exploited in the same way. --------------------------------------------------------------------------------------- Title: ====== SonicWall weak HTTP session ID's Date: ===== 2011-09-29 Introduction: ============= The SonicWall NSA 4500 web admin interface generates session ID's that are stores in the "SessId" cookie variable. The ID's are guessable via brute force, wich leads to admin session hijacking. Report-Timeline: ================ Not reported. Affected Products: ================== SonicWall NSA 4500 Exploitation-Technique: ======================= To brute force, just make requests like this: GET /log.wri HTTP/1.0 Host: 123.123.123.123 Connection: close User-Agent: brute-forcing Cookie: SessId=111111111 Where SessId is the variable that we are bruteforcing -it should change in every request- and Host is the SonicWall IP. If you fail you get a 404 HTTP response. If you succeed, you will get a 200 HTTP response, and will see the SonicWall logs. Severity: ========= Low. Details: ======== HTTP "SessId" bruteforce. From a LAN, 10% of all ID's can be bruteforced in 1 day. The more administrator are logged the more dangerous is the scenario, and easier is the brute force attack. ---------------------------------------------------------------------------------------