SonicWall Security Update

SonicWall PSIRT has worked with engineering and product teams to confirm and correct three vulnerabilities associated with the SonicWall Global VPN Client (GVC), two of which impact the included client installer. Successful exploitation via a privileged user could potentially result in command execution in the target system.

SonicWall has confirmed that Global VPN Client (GVC) installer 4.10.7.1117 (32-bit and 64-bit) and earlier versions have three specific vulnerabilities in one of the installer components as outlined below:

  1. Global VPN Client DLL Search Order Hijacking via Application Installer (RunMSI.exe). This includes both the 32-Bit as well as 64-bit installers.
  2. Global VPN Client Installer being unable to remove RarSFX folder and its content after installation. Therefore, all organizations and/or users who have installed the latest GVC version have the problematic RarSFX folder and its vulnerable component (RunMSI.exe), which could lead to potential exploitation of the first vulnerability above. Only the last three 64-bit versions 4.10.7.1117, 4.10.6.0913 and 4.10.5.1224 are impacted.
  3. 32-Bit Global VPN Client DLL Highjacking over Microsoft Foundation Class DLLs. While first two vulnerabilities apply to the installer, this one is in the application itself. Only the 32-bit version of GVC is vulnerable. 

IMPORTANT

There is no evidence that these vulnerabilities are being exploited in the wild. All three vulnerabilities can only be exploited after the adversary gains control of the machine, has admin privilege or is able to place malicious files on the machine. The vulnerabilities can’t be exploited on a clean system.

SonicWall strongly urges that organizations using the Global VPN Client (GVC) in your network follow the guidance below.

IMPACT

Successful exploitation via a privileged user could result in command execution in the target system. All vulnerable DLL components are located in the RunMSI.exe part of the installer. A vulnerable installer component (RunMSI.exe) is vulnerable to a total of 15 variations of the DLL Search Order Hijacking.

These vulnerabilities require user interaction and running of the vulnerable installer. Command execution in the target system needs to be executed with administrator privileges. The GVC installer doesn’t remove problematic RarSFX folder and its content after installation.

IMPORTANT

If a user does not have administrator privileges, there is no way to execute the vulnerable installers. Only when an administrator explicitly executes the installers, or the target system is already compromised by administrator privileges, potential DLL Hijacking could occur.

RESOLUTION

Please follow the resolution steps below based on your organization’s specific use case(s).

Vulnerability Affected Version/Scope User Resolution
Global VPN Client DLL Search Order Hijacking via Application Installer (RunMSI.exe) Previous installers
  • Silent fix. No user action needed.
Problematic RarSFX folders left in host machine after installation Host machine which are running below 64-bit installers:

  • 4.10.7.1117
  • 4.10.6.0913
  • 4.10.5.1224
  • Manually remove content in your system temp folders in below location mostly: C:\Users\AppData\Local\Temp or
  • Download the script available in the MySonicWall portal under the download section for Global VPN Client and double click on the script file, which will safely remove the affected folders from the respective Windows clients.
DLL Highjacking over Microsoft Foundation Class DLLs 32bit GVC (X86 GVC) only
  • Uninstall existing 32bit GVC
  • Install GVC 4.7.10.1424 32bit version (X86)

ADDITIONAL RESOURCES

Related posts:

  1. SonicWall Product Notice: Unauthenticated Stack-based Buffer Overflow Vulnerability in SonicOS
  2. Take Back Control Of Your Network With Sonicwall’s Deeper Security
  3. Security Notice: SonicWall Analytics On-Prem SQL Injection Vulnerability
  4. Security Notice: SMA 1000 Series Unauthenticated Access Control Bypass