SonicWall addresses critical CVE-2021-20026 flaw in NSM devices

Positive Technologies experts provide details about potential impact of a recently fixes command injection flaw in SonicWall NSM devices.

Positive Technologies researcher Nikita Abramov has provided details about the CVE-2021-20026 command injection vulnerability that affects SonicWall’s Network Security Manager (NSM) product.

At the end of May, SonicWall urged its customers to ‘immediately’ address a post-authentication vulnerability, tracked as CVE-2021-20026, impacting on-premises versions of the Network Security Manager (NSM).

The vulnerability rated with an 8.8 severity score could be simply exploited without user interaction.

The flaw could be exploited by an authenticated attacker to perform OS command injection using a crafted HTTP request.

The flaw affects NSM version 2.2.0-R10-H1 and earlier, the security vendor addressed it with the release of NSM 2.2.1-R6 and 2.2.1-R6 (Enhanced) versions.

“This critical vulnerability potentially allows a user to execute commands on a device’s operating system with the highest system privileges (root),” SonicWall explains.

“SonicWall has validated and patched a post-authentication vulnerability (SNWLID-2021-0014) within the on-premises version of Network Security Manager (NSM). This vulnerability only impacts on-premises NSM deployments. SaaS versions of NSM are not affected.” reads the security advisory published by SonicWall. “This critical vulnerability potentially allows a user to execute commands on a device’s operating system with the highest system privileges (root).”

An attacker could exploit the vulnerability to execute arbitrary commands on the underlying operating system with root privileges.

The flaw was caused by the improper validation of input data which is directly passed to the operating system for processing.

Abramov explained that an attacker with authorization in NSM with a minimum level of privileges could potentially exploit the flaw to compromise the device.

“A successful attack on a vulnerable device requires authorization in NSM with a minimum level of privileges. SonicWall NSM allows centralized management of hundreds of devices. Tampering with this system may negatively impact a company’s ability to work, to the point of full disruption of its protection system and stopping of business processes.” said Nikita Abramov “As with Cisco ASA, successful attackers could disable access to the company’s internal network by blocking VPN connections, or write new network traffic policies thus fully preventing its checks by a firewall.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SonicWall NSM)

[adrotate banner=”5″]

[adrotate banner=”13″]