Dell SonicWALL Secure Mobile Access SMA 8.1 XSS And WAF CSRF

Title: Dell SonicWALL Secure Mobile Access SMA 8.1 XSS And WAF CSRF
Advisory ID: ZSL-2016-5392
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 29.12.2016
Summary
Keep up with the demands of today’s remote workforce. Enable secure mobile access to critical apps and data without compromising security. Choose from a variety of scalable secure mobile access (SMA) appliances and intuitive Mobile Connect apps to fit every size business and budget.
Description
SonicWALL SMA suffers from a XSS issue due to a failure to properly sanitize user-supplied input to several parameters. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session. The WAF was bypassed via form-based CSRF.
Vendor
Dell Inc. - https://www.sonicwall.com/products/secure-mobile-access/
Affected Version
8.1 (SSL-VPN)
Tested On
SonicWALL SSL-VPN Web Server
Vendor Status
[26.01.2016] Vulnerability discovered.
[29.01.2016] Vendor contacted.
[29.01.2016] Vendor responds asking more details providing PGP keys.
[29.01.2016] Sent details to the vendor.
[29.01.2016] Vendor confirms receipt of the issues forwarding to engineering team.
[12.02.2016] Asked vendor for status update.
[12.02.2016] Vendor confirms the issues scheduling a patch release.
[23.02.2016] Asked vendor for status update.
[24.02.2016] Vendor replied.
[19.04.2016] Asked vendor for status update.
[20.04.2016] Vendor replied.
[22.04.2016] Working with the vendor.
[11.07.2016] Vendor releases patch in SMA 100 Series 8.1.0.3 to address this issue.
[29.12.2016] Coordinated public security advisory released.
PoC
sonicwall_sslvpn.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://documents.software.dell.com/sonicwall-sma-100-series/8.1.0.3/release-notes/resolved-issues?ParentProduct=869
[2] https://www.exploit-db.com/exploits/40978/
[3] https://cxsecurity.com/issue/WLB-2016120171
[4] https://packetstormsecurity.com/files/140304
[5] http://www.securityfocus.com/bid/95153
[6] https://exchange.xforce.ibmcloud.com/vulnerabilities/120223
[7] https://exchange.xforce.ibmcloud.com/vulnerabilities/120222
[8] https://support.sonicwall.com/kb/226530
Changelog
[29.12.2016] - Initial release
[02.01.2017] - Added reference [3], [4] and [5]
[29.01.2017] - Added reference [6] and [7]
[10.03.2017] - Added reference [8]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk