SonicWall Privilege Escalation: CVE-2020-5144

As of late Friday morning, SonicWall was in the early stages of advising its customers of a breach which may have impacted its security products. While initial reports indicated a wide range of potentially impacted products across the SonicWall product line, this was later clarified to just the SMA (Secure Mobile Access) 100. The SMA 100 is an appliance which is intended to provide secure access to data center, cloud, and SaaS (software as a service) resources from a single portal.

The announcement came four days after proof of concept (POC) exploit code for CVE-2020-5144 was released, which describes exploitation of the SonicWall Global VPN Windows client for privilege escalation by leveraging a vulnerability that allowed the executable search order to be hijacked. This would allow an ordinary user to elevate their permissions to SYSTEM (administrative-level privileges).

Early this Monday morning, Darren Martyn, a security researcher, released a previously unpublished exploit against SonicWall SSL-VPN (which includes the firewall line). This particular method of exploitation was leveraged during the Hacking Team data breach and allowed the threat actor in that instance to not simply gain remote access to the device, but also add code to the login page to capture usernames and passwords.

What Should I Do if I’m a SonicWall Customer?

• Review security notices from SonicWall for the SMA 100, Global VPN client, and other SonicWall products.
• Apply security patches as they become available.
• Enable multi-factor authentication on any public-facing SonicWall VPN appliance.
• Enable multi-factor authentication on your mySonicWall.com support account.
• Configure all Internet traffic and management audit logs to be stored in a SIEM, analyzed and monitored for anomalous activity (like Blumira’s cloud SIEM that offers automated detection & response).
• Configure alerting on abnormalities and initiate your incident response plan if abnormalities are identified.