_________________________________________
Security Advisory
_________________________________________
_________________________________________

  Severity: Low
  Title: SonicWALL SSL-VPN 2000 Information Disclosure Vulnerability
  Date: 15.09.2006 / Update: 03.07.2007
  Author: Nikolas Sotiriu (nsotiriu (at) sotiriu (dot) de)
  Vendor: SonicWALL (http://www.sonicwall.com)
  Affected Products: SonicWALL SSL-VPN 2000 1.5.0.x (maybe older)
  Not Affected Products: SonicWALL SSL-VPN 2000 >= 2.0.0.1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


Description:
------------

The "settings" cgi is not checking correctly if the accessing user is
a logged-in admin. 



POC:
----

https://<ssl-vpn2000>/cgi-bin/settings



Analysis:
---------

The Version of the Firmware is shortly shown, if its accessing by a 
webbrowser. Changes can not be done!



Vendor Response:
----------------

Version 2.0.0.1 Release Notes:

46044: Symptom: The SSL-VPN appliance discloses its firmware version
to non-authenticated requests. Condition: Occurs when a browser points
directly to https://<ssl-vpn>/cgi-bin/settings.




Disclosure Timeline:
--------------------

2006.09.14 - Vulnerability found
2006.10.25 - Vulnerability reported to vendor
2006.11.22 - Vulnerability Patched by vender (Version 2.0.0.1)
2007.07.03 - Public Disclosure