Positive Technologies today released more details about a vulnerability its researcher, Nikita Abramov discovered that allows authenticated attackers to obtain full control of on-premises SonicWall Network Security Manager (NSM). NSM is designed to centralize management of SonicWall firewalls and track threats and risks in network traffic. According to IDC, SonicWall ranks fifth among manufacturers of hardware security tools worldwide.
This vulnerability, known as CVE-2021-20026, is rated as ‘High’ criticality and has a CVSSv3 score of 8.8. An attacker needs to be an authenticated user into SonicWall NSM before they can exploit the vulnerability, which could allow criminals to inject OS commands in a user request, giving them access to all features of not only the vulnerable on-premises SonicWall NSM platform, but also the underlying operating system. This vulnerability was patched by SonicWall in May 2021.
Nikita Abramov, Positive Technologies researcher explained: “A successful attack on a vulnerable device requires authorization in NSM with a minimum level of privileges. SonicWall NSM allows centralized management of hundreds of devices. Tampering with this system may negatively impact a company's ability to work, to the point of full disruption of its protection system and stopping of business processes. As with Cisco ASA, successful attackers could disable access to the company's internal network by blocking VPN connections, or write new network traffic policies thus fully preventing its checks by a firewall.”
SonicWall PSIRT added: “Through ongoing collaboration with Positive Technologies, SonicWall validated and patched a post-authentication vulnerability within the on-premises version of the Network Security Manager (NSM) service. This vulnerability only impacts on-premises deployments and not the more common SaaS version of the NSM service. Impacted SonicWall partners and customers were quickly informed of the patch and were provided upgrade guidance in May 2021.”
From a technical standpoint, this vulnerability is caused by insufficient filtering of input data and its direct transfer to an operating system for processing. Such errors can be reduced or removed entirely by ensuring secure coding practices are adopted, reducing the propensity of coding weaknesses making it through the development lifecycle. However, as code weaknesses can and do happen to find their way past automated code checks, enabling penetration tests of the devices before they’re launched into production can offer increased assurance that certain weaknesses and vulnerabilities are caught and removed.
SonicWall NSM On-Prem 2.2.0-R10 and earlier product versions are affected. To eliminate the problem, the vendor recommends installing SonicWall NSM 2.2.1-R6. Organizations using on-prem NSM should reference SonicWall’s knowledgebase (KB) article for more information: https://www.sonicwall.com/support/product-notification/security-advisory-on-prem-sonicwall-network-security-manager-nsm-command-injection-vulnerability/210525121534120/
Vulnerability management systems, such as MaxPatrol VM, can automate the detection and prioritization of such vulnerabilities. To detect signs of penetration (for example, if an update cannot be installed), use SIEM solutions (in particular, MaxPatrol SIEM), which help identify suspicious behavior on the server, register an incident, and prevent the intruders from moving laterally within the corporate network in a timely manner.