Summary
A Secureworks® assessment of a customer’s environment led to the discovery of two vulnerabilities in the SonicWall Email Security Appliance: a weak default root MySQL password (CVE-2019-7488) and a flaw that allows a restricted SSH (Secure Shell) user without a password to forward ports (CVE-2019-7489). When combined, these vulnerabilities led to unauthenticated remote code execution and a full system compromise.
Technical details
Analysis of the customer’s network revealed a SonicWall Email Security Appliance (see Figure 1).
Figure 1. SonicWall Email Security Appliance login. (Source: Secureworks)
Initial scans showed that SSH was available on the server. An attempt to authenticate to the SSH service generated a prompt to login as “snwlcli user”:
$ ssh [email protected]
For CLI access you must login as snwlcli user.
[email protected]'s password:
Attempting to authenticate to the SSH session using the ’snwlcli‘ user generated an additional login prompt:
$ ssh [email protected]
For CLI access you must login as snwlcli user.
Terminal type not supported; setting to ansi
Login:
To better understand the ‘snwlcli’ user and the authentication process, the Secureworks analyst downloaded the same version of the virtual appliance from the SonicWall website. They then added the virtual hard drive (VMDK file) to an existing Kali Linux virtual machine to view the files contained on the hard drive and mount additional .img files that were located there.
The files appeared to be part of a fairly standard Linux image. The ’/etc/passwd‘ and ’/etc/shadow‘ files indicated that the ‘snwlcli’ user lacks an SSH password and has a non-standard shell that ..
Support the originator by clicking the read the rest link below.
