Researchers have discovered a range of vulnerabilities in Dell's SonicWall Global Management System (GMS) console, including a hidden default account with an easily guessable password.
US security vendor Digital Defense said the hidden account can be accessed through a command line interface client that can be downloaded from the console of the GMS web application.
Non-administrative users can be added with the command line interface; however, they can log into the web interface and change the password for the admin user. By logging in with the admin user account, attackers using this method can get full contol of the GMS, and the SonicWall devices it controls.
Digital Defense rated the hidden account vulnerability in SonicWall GMS version 8.1 build 8110.1197 as critical.
Dell has removed the hidden backdoor account and also addressed five other vulnerabilities discovered by Digital Defense.
Two of the flaws patched by Dell are also rated as critical. The researchers found it was possible to use the set_time_config and set_dns methods to inject commands with root or superuser full privileges. Attackers can obtain database credentials and change the password for the admin user of the GMS, and gain complete control of the system, with this method.
Furthermore, a criticial vulnerability that uses unauthenticated extensible markup language external entity injection (XXE) allows attackers to gain full control of the SonicWall GMS and devices connected to it.
The XXE vulnerability requires no authentication to exploit, and can be used to get encrypted database credentials and the internet protocol address and port for the GMS cluster database, as well as a static decryption key.