14 DAY TRIAL // Researchers from the Vulnerability Lab have identified a couple of security holes in SonicWALL Email Security 7.3.5.6379. The company was notified of the existence of the flaw back in May, but since it failed to respond within the 90-day period, the security firm has decided to publicly reveal the existence of the issue.
The first vulnerability is a persistent input validation – estimated as being high risk – which allows a remote attacker (or a local attacker with low privileges) to inject malicious code into the software. The bug can be leveraged for session hijacking, phishing, and “stable persistent module context manipulation.”
The Compliance and Virus protection procedures module is the one that’s affected, the vulnerability being triggered when inputs that are not sanitized are loaded.
A number of client-side cross-site scripting (XSS) flaws have also been detected in the application. According to the researchers, they can be leveraged by a remote attacker to manipulate appliance requests on the client side.
Catalogued as being low risk, the vulnerabilities can be exploited with medium user interaction.
“Successful exploitation results in session hijacking, account steal, client side phishing requests or manipulated context execution on client side requests,” reads the advisory published by the experts. “The vulnerabilities are located on the `from`- & `row` page listing values.”
Besides a video that demonstrates their findings, Vulnerability Lab has also provided Softpedia with a detailed proof-of-concept. However, since the security hole hasn’t been addressed yet, we will not make it public at this time.
Hopefully, the fact that some of the details of these vulnerabilities are public will determine SonicWALL to act on addressing them.
Here is the video POC made available by the researchers:
Update. SonicWALL representatives have issued a statement regarding the findings of Vulnerability Lab researchers: As indicated by you, we agree it is a low risk item. For the vulnerability to be exploited, the attacker has to be deep within the corporate network and have administrative privileges to the solution.
Typically our email security solution is deployed inside a corporate firewall, and none of these pages are accessible without administrative credentials. We have taken this issue seriously and developed a patch. A patch notification to our customers will be issued soon.
Update2. A security patch has been made available to address these issues. The Email Security 7.3.6 patch is available for download here. Customers are advised to apply it as soon as possible.