Researcher Describes Potential Impact of Recently Patched SonicWall NSM Flaw

A researcher at Positive Technologies has described the potential impact of a recently addressed command injection vulnerability affecting SonicWall’s Network Security Manager (NSM) product.

NSM is a firewall management application that provides the ability to monitor and manage all network security services from a single interface, as well as to automate tasks to improve security operations. The product is available for on-premises deployments or as a SaaS offering.

Tracked as CVE-2021-20026 and featuring a CVSS score of 8.8, the vulnerability was patched in May 2021. The security hole affects the on-premises versions of SonicWall NSM only and can be exploited through specially crafted HTTP requests sent to the vulnerable application.

An attacker looking to exploit the vulnerability needs to be authenticated to the vulnerable application. The attacker could then execute commands on the underlying operating system with root privileges.

The flaw was identified by Nikita Abramov, a researcher at Russian cybersecurity firm Positive Technologies, who explains that the issue exists due to insufficient filtering of input data, and because that data is directly sent to the operating system for processing.

An attacker able to exploit this vulnerability to inject OS commands could gain access to all the features that the vulnerable on-premises SonicWall NSM platform has to offer, as well as to the entire underlying operating system.

Even attackers with a minimum level of privileges could successfully exploit the vulnerability. Such an attack could result in the immediate compromise of the devices that SonicWall NSM is used to manage — the product can be used to manage hundreds of devices.

“Tampering with this system may negatively impact a company’s ability to work, to the point of full disruption of its protection system and stopping of business processes,” Abramov says.

The security bug impacts the 2.2.0-R10 and earlier releases of on-premises SonicWall NSM and it has been addressed with the release of NSM 2.2.1-R6, which SonicWall customers are encouraged to install.

“This vulnerability only impacts on-premises deployments and not the more common SaaS version of the NSM service. Impacted SonicWall partners and customers were quickly informed of the patch and were provided upgrade guidance in May 2021,” SonicWall PSIRT said.

Related: Attackers Leverage SonicWall VPN Flaw to Compromise SRA Appliances

Related: SonicWall Zero-Day Exploited by Ransomware Group Before It Was Patched

Related: Three Zero-Day Flaws in SonicWall Email Security Product Exploited in Attacks