SonicWall PSIRT has worked with engineering and product teams to confirm and correct three vulnerabilities associated with the SonicWall Global VPN Client (GVC), two of which impact the included client installer. Successful exploitation via a privileged user could potentially result in command execution in the target system.
SonicWall has confirmed that Global VPN Client (GVC) installer 188.8.131.527 (32-bit and 64-bit) and earlier versions have three specific vulnerabilities in one of the installer components as outlined below:
- Global VPN Client DLL Search Order Hijacking via Application Installer (RunMSI.exe). This includes both the 32-Bit as well as 64-bit installers.
- Global VPN Client Installer being unable to remove RarSFX folder and its content after installation. Therefore, all organizations and/or users who have installed the latest GVC version have the problematic RarSFX folder and its vulnerable component (RunMSI.exe), which could lead to potential exploitation of the first vulnerability above. Only the last three 64-bit versions 184.108.40.2067, 4.10.6.0913 and 220.127.116.114 are impacted.
- 32-Bit Global VPN Client DLL Highjacking over Microsoft Foundation Class DLLs. While first two vulnerabilities apply to the installer, this one is in the application itself. Only the 32-bit version of GVC is vulnerable.
There is no evidence that these vulnerabilities are being exploited in the wild. All three vulnerabilities can only be exploited after the adversary gains control of the machine, has admin privilege or is able to place malicious files on the machine. The vulnerabilities can’t be exploited on a clean system.
SonicWall strongly urges that organizations using the Global VPN Client (GVC) in your network follow the guidance below.
Successful exploitation via a privileged user could result in command execution in the target system. All vulnerable DLL components are located in the RunMSI.exe part of the installer. A vulnerable installer component (RunMSI.exe) is vulnerable to a total of 15 variations of the DLL Search Order Hijacking.
These vulnerabilities require user interaction and running of the vulnerable installer. Command execution in the target system needs to be executed with administrator privileges. The GVC installer doesn’t remove problematic RarSFX folder and its content after installation.
If a user does not have administrator privileges, there is no way to execute the vulnerable installers. Only when an administrator explicitly executes the installers, or the target system is already compromised by administrator privileges, potential DLL Hijacking could occur.
Please follow the resolution steps below based on your organization’s specific use case(s).
|Global VPN Client DLL Search Order Hijacking via Application Installer (RunMSI.exe)
|Problematic RarSFX folders left in host machine after installation
|Host machine which are running below 64-bit installers:
|DLL Highjacking over Microsoft Foundation Class DLLs
|32bit GVC (X86 GVC) only