Exploitalert - Database of Exploits

SonicWALL Global Security Client Local Privilege Escalation Vulnerability

CVE	Category	Price	Severity
CVE-2021-20021	CWE-269	$5,000	High

Author	Risk	Exploitation Type	Date
Orange Tsai	High	Local	2009-05-27

CPE
cpe:cpe:/a:sonicwall:global_security_client

CVSS	EPSS	EPSSP
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Local	AV	The vulnerable system is not bound to the network stack and the attacker’s path is via read/write/execute capabilities. Either: the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or through terminal emulation (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability (e.g., using social engineering techniques to trick a legitimate user into opening a malicious document).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	Low	PR	The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

http://cxsecurity.com/ascii/WLB-2009050065

SEC Consult Security Advisory < 20090525-2 > ========================================================================== title: SonicWALL Global Security Client Local Privilege Escalation Vulnerability program: SonicWALL Global Security Client vulnerable version: 1.0.0.15 and possibly other versions homepage: http://www.sonicwall.com found: October 2006 by: lofi42 permanent link: https://www.sec-consult.com/advisories_e.html#a56 ========================================================================== Vendor description: ------------------- The SonicWALL Global Security Client offers IT professionals the capability to manage a mobile users online access, based upon corporate policies, in order to ensure optimal security of the network and maximize network resources. Instant messaging, high-risk Web sites and network file access can all be allowed or disallowed as security and productivity concerns dictate. [source: http://www.sonicwall.com/downloads/DS_GlobalSecurityClient_A4.pdf] Vulnerability overview: ----------------------- Local exploitation of a design error in SonicWALLs Global Security Client could allow attackers to obtain increased privileges. Vulnerability description: -------------------------- The problem specifically exists because SYSTEM privileges are not dropped when accessing the GSC properties from the System Tray applet. The vulnerability can be exploited by right-clicking the System Tray icon, choosing "Log", right click "Event Viewer", "Open Log File...". The opened file selected can be abused by navigating to C:\WINDOWS \SYSTEM32\, right-clicking cmd.exe, then selecting "Open"; doing so spawns a command shell with SYSTEM privileges. Proof of concept: ----------------- This vulnerability can be exploited without any special exploit code. Vendor contact timeline: ------------------------ 2006: Vulnerability found 2006.10.25: Vulnerability first reported to vendor 2009.02.17: Vulnerability reported to vendor again 2009.03.16: Request for status update 2009.04.21: Request for status update 2009.05.25: Public Release Patch: ------ SEC Consult was not able to get any vendor feedback on this issue. We are currently not aware of a patch or workaround.

Impressum