Dell SonicWALL Network Security Appliance NSA 6600 Reflected XSS
Title: Dell SonicWALL Network Security Appliance NSA 6600 Reflected XSS
Advisory ID: ZSL-2016-5391
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 29.12.2016
WXA 4000 running 1.3.2.0-07
SafeMode 6.1.0.11
MySQL/5.0.96-community-nt
Apache-Coyote/1.1
Apache Tomcat 6.0.41
[29.01.2016] Vendor contacted.
[29.01.2016] Vendor responds asking more details providing PGP keys.
[29.01.2016] Sent details to the vendor.
[29.01.2016] Vendor confirms receipt of the issues forwarding to engineering team.
[12.02.2016] Asked vendor for status update.
[12.02.2016] Vendor confirms the issues scheduling a patch release.
[23.02.2016] Asked vendor for status update.
[24.02.2016] Vendor replied.
[19.04.2016] Asked vendor for status update.
[20.04.2016] Vendor replied.
[22.04.2016] Working with the vendor.
[02.12.2016] Vendor releases patch to address this issues.
[29.12.2016] Coordinated public security advisory released.
[2] https://packetstormsecurity.com/files/140303
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/120216
[02.01.2017] - Added reference [1] and [2]
[29.01.2017] - Added reference [3]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2016-5391
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 29.12.2016
Summary
Uncompromising security and performance for emerging large organizations. The NSA 6600 network security appliance delivers best-in-class protection, speed and scalability with 12 Gbps throughput and up to 6000 VPN clients.Description
SonicWALL NSA suffers from a XSS issue due to a failure to properly sanitize user-supplied input to the 'curUserName' GET parameter in the 'appFirewallSummary.html' script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.Vendor
Dell Inc. - https://www.sonicwall.com/products/sonicwall-nsa/Affected Version
NSA 6600 running SonicOS Enhanced 6.2.4.3-31nWXA 4000 running 1.3.2.0-07
SafeMode 6.1.0.11
Tested On
SonicWALLMySQL/5.0.96-community-nt
Apache-Coyote/1.1
Apache Tomcat 6.0.41
Vendor Status
[26.01.2016] Vulnerability discovered.[29.01.2016] Vendor contacted.
[29.01.2016] Vendor responds asking more details providing PGP keys.
[29.01.2016] Sent details to the vendor.
[29.01.2016] Vendor confirms receipt of the issues forwarding to engineering team.
[12.02.2016] Asked vendor for status update.
[12.02.2016] Vendor confirms the issues scheduling a patch release.
[23.02.2016] Asked vendor for status update.
[24.02.2016] Vendor replied.
[19.04.2016] Asked vendor for status update.
[20.04.2016] Vendor replied.
[22.04.2016] Working with the vendor.
[02.12.2016] Vendor releases patch to address this issues.
[29.12.2016] Coordinated public security advisory released.
PoC
sonicwall_nsaxss.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://cxsecurity.com/issue/WLB-2016120170[2] https://packetstormsecurity.com/files/140303
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/120216
Changelog
[29.12.2016] - Initial release[02.01.2017] - Added reference [1] and [2]
[29.01.2017] - Added reference [3]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk