Gladiator Research and Security

GSA Reference Number: AD081031-01
Updated: 11-3-2008

Simply Put: SonicWALL has released an advisory regarding a new vulnerability found in its content filter.  If a user behind a SonicWALL with content filtering enabled clicks on a malicious link, an attacker can cause malicious javascript to be executed through the content filter’s “Blocked Traffic” screen.  This vulnerability only affects SonicWALLs running the Enhanced OS using the content filter with the CFS Block Page.  See below for vulnerable versions.

Attack Details: At the heart of the problem is a cross site scripting vulnerability.  The SonicWALL device copies the entire URL the victim has visited and redisplays it in a webpage.  Since the web address is considered trusted input, the whole address is pasted directly into HTML.  The method used by SonicWALL does not account for code trying to run scripts.  To test your content filter, go to the Security Focus link below and click on “exploit code.”  There will be an example link.  Replace “www.example.com” with a website that you already know is blocked by your content filter.  if a dialog box appears when the blocked content page loads, then your SonicWALL will need to be patched.

Countermeasures: SonicWALL has released an update for all devices affected by this vulnerability.  SonicWALL updates can be downloaded from www.mysonicwall.com.  If your device is managed by Gladiator, we will handle the upgrade process.  If necessary, the content filter can be disabled until the firewall is patched.  Contact the Gladiator Security Operations Center with any questions.  The list below shows the minimum OS version that should be running on the firewall to protect against this vulnerability:

• SonicOS 3.4.0.0e for the TZ 170, TZ 170w, TZ 170SP, TZ 170SPW, PRO 1260
• SonicOS 4.0.1.2e for the TZ 180, TZ 180w, TZ 190, TZ 190w
• SonicOS 4.0.0.5e for the PRO 2040, PRO 3060, PRO 4060, PRO 4100, PRO 5060
• SonicOS 5.1.0.4o for the NSA 2400, NSA 3500, NSA 4500, NSA 5000, NSA E5500, NSA E6500, NSA E7500
• SonicOS 5.1.1.0o for the NSA 240

Reference Links:

• Secunia Advisory (http://secunia.com/Advisories/32498/)
• Security Focus Advisory (http://www.securityfocus.com/bid/31998)
• SonicWALL Homepage (http://www.sonicwall.com/us/)