Security Notice: SonicWall Global VPN Client DLL Search Order Hijacking via Application Installer

First Published:04/27/2022 Last Updated:04/29/2022

SonicWall has confirmed that Global VPN Client (GVC) installer 4.10.7.1117 (32-bit and 64-bit) and earlier versions have three specific vulnerabilities in one of the installer components as outlined below:

  1. Global VPN Client DLL Search Order Hijacking via Application Installer (RunMSI.exe). This includes both the 32-Bit as well as 64-bit installers.

  2. Global VPN Client Installer being unable to remove RarSFX folder and its content after installation. Therefore, all organizations and/or users who have installed the latest GVC version have the problematic RarSFX folder and its vulnerable component (RunMSI.exe), which could lead to potential exploitation of the first vulnerability above. Only the last three 64-bit versions 4.10.7.1117, 4.10.6.0913 and 4.10.5.1224 are impacted.

  3. 32-Bit Global VPN Client DLL Highjacking over Microsoft Foundation Class DLLs. While first two vulnerabilities apply to the installer, this one is in the application itself. Only the 32-bit version of GVC is vulnerable. 

IMPORTANT

There is no evidence that these vulnerabilities are being exploited in the wild. All three vulnerabilities can only be exploited after the adversary gains control of the machine, has admin privilege or is able to place malicious files on the machine. The vulnerabilities can’t be exploited on a clean system.

SonicWall strongly urges that organizations using the Global VPN Client (GVC) in your network follow the guidance below.

IMPACT

Successful exploitation via a privileged user could result in command execution in the target system. All vulnerable DLL components are located in the RunMSI.exe part of the installer. A vulnerable installer component (RunMSI.exe) is vulnerable to a total of 15 variations of the DLL Search Order Hijacking.

These vulnerabilities require user interaction and running of the vulnerable installer. Command execution in the target system needs to be executed with administrator privileges. The GVC installer doesn't remove problematic RarSFX folder and its content after installation. 

IMPORTANT

If a user does not have administrator privileges, there is no way to execute the vulnerable installers. Only when an administrator explicitly executes the installers, or the target system is already compromised by administrator privileges, potential DLL Hijacking could occur.   

RESOLUTION

Please follow the resolution steps below based on your organization’s specific use case(s).

VulnerabilityAffected Version/ScopeUser Resolution

Global VPN Client DLL Search Order Hijacking via Application Installer (RunMSI.exe)

Previous installers

  • This vulnerability exists in the original installation files (GVCsetup32.exe and GVCsetup64.exe). The vulnerability doesn’t exist on the workstation/application once the application is installed. No user action is needed.

Problematic RarSFX folders left in host machine after installation

Host machine which are running below 64-bit installers:

  • 4.10.7.1117
  • 4.10.6.0913
  • 4.10.5.1224
  • Manually remove content in your system temp folders in below location mostly: C:\Users\AppData\Local\Temp or
  • Download the script available in the MySonicWall portal under the download section for Global VPN Client and double click on the script file, which will safely remove the affected folders from the respective Windows clients.

DLL Highjacking over Microsoft Foundation Class DLLs

32bit GVC (X86 GVC) only

  • Uninstall existing 32bit GVC
  • Install GVC 4.10.7.1424 32bit version (X86) 


To download the script which will remove the RarSFX folder please perform the following:

  1. Navigate to https://www.mysonicwall.com/muir/freedownloads
  2. Select the appropriate GVC bit version in the product drop-down menu.
  3. Expand the first version 4.10.7.1424 by clicking the arrow.
  4. The script "installcleaner.bat" is located in the third row.
  5. Click the download icon to the right of the file to start the download process.
    Image


ADDITIONAL RESOURCES

Trace:dd05288e52973a5809ba22c373a5ba22-70