| Product | SonicWall SSL-VPN NetExtender |
| Vendor | SonicWall Inc. |
| Affected Versions | <= 2023-08-08 |
| Tested Versions | 2023-08-08 |
| Subject | Improper Privilege Management - CWE-269 |
| Risk Level | Medium |
| Solution Status | fixed |
| Manufacturer Notification | Aug 8 2023 |
| Solution Date | Sep 29 2023 |
| Public Disclosure | Oct 12 2023 |
| CVE Reference | CVE-2023-44217 |
| Author | Matthias Zöllner, Cyvisory Group GmbH |
The MSI installer provided for SonicWall SSL-VPN NetExtender on the homepage https://www.sonicwall.com/de-de/products/remote-access/vpn-clients/ allows LPE for low privileged users, via the repair function.
The problem occurs, as the repair function of the MSI is spawning an administrative cmd. If caught, LPE is possible via a very simple breakout.
As a low privileged user do the following steps to reproduce:
Locate the msi installer under c:\windows\installer\. The installer gets cached here as long as the software is installed.
Run the located installer with
msiexec.exe /fa C:\Windows\Installer\2847d63.msi
When the installer runs, note that there is a cmd window flickering.
Catch the cmd, by quickly selecting some text
To make it easier to catch the window, the script runtime can be extended by overloading the system and the conhost.exe \
1..500 | foreach { Start-Process -FilePath cmd.exe -ArgumentList '/c dir ' -WindowStyle Minimized}
Local Elevation of Privileges. On every machine, where the MSI still can be found or can be brought to.
The CustomAction from the MSI should not spawn a visible window.
2023-08-07: Vulnerability discovered
2023-08-08: Vulnerability reported to manufacturer
2023-09-29: Fixed without notification
2023-10-13: Asked for status update
2023-10-14: Response to release notes and CVE
Found and reported by Matthias Zoellner from Cyvisory Group GmbH
E-Mail: [email protected]
Website: https://Cyvisory.group
The information provided in this security advisory is provided “as is” and without warranty of any kind.
