Description
SonicWall NetExtender Windows client vulnerable to unquoted service path vulnerability, this allows a local attacker to gain elevated privileges in the host operating system. This vulnerability impact SonicWall NetExtender Windows client version 10.2.300 and earlier.
Affected Software
Related
{"id": "CVE-2020-5147", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2020-5147", "description": "SonicWall NetExtender Windows client vulnerable to unquoted service path vulnerability, this allows a local attacker to gain elevated privileges in the host operating system. This vulnerability impact SonicWall NetExtender Windows client version 10.2.300 and earlier.", "published": "2021-01-09T01:15:00", "modified": "2021-09-21T17:04:00", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 4.6}, "severity": "MEDIUM", "exploitabilityScore": 3.9, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 1.8, "impactScore": 3.4}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5147", "reporter": "PSIRT@sonicwall.com", "references": ["https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0023", "http://packetstormsecurity.com/files/163857/SonicWall-NetExtender-10.2.0.300-Unquoted-Service-Path.html"], "cvelist": ["CVE-2020-5147"], "immutableFields": [], "lastseen": "2022-03-23T18:36:39", "viewCount": 134, "enchantments": {"dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:50212"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163857"]}, {"type": "zdt", "idList": ["1337DAY-ID-36653"]}], "rev": 4}, "score": {"value": 6.5, "vector": "NONE"}, "twitter": {"counter": 2, "modified": "2021-01-12T15:02:32", "tweets": [{"link": "https://twitter.com/WolfgangSesin/status/1349814938764779536", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2020-5147 (netextender)) has been published on https://t.co/nMvXQ9Q9b0?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1349814927792480257", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (CVE-2020-5147 (netextender)) has been published on https://t.co/0SoMXf1lik?amp=1"}]}, "backreferences": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:50212"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:163857"]}, {"type": "zdt", "idList": ["1337DAY-ID-36653"]}]}, "exploitation": null, "vulnersScore": 6.5}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:sonicwall:netextender:10.2.300"], "cpe23": ["cpe:2.3:a:sonicwall:netextender:10.2.300:*:*:*:*:windows:*:*"], "cwe": ["CWE-428"], "affectedSoftware": [{"cpeName": "sonicwall:netextender", "version": "10.2.300", "operator": "le", "name": "sonicwall netextender"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:sonicwall:netextender:10.2.300:*:*:*:*:windows:*:*", "versionEndIncluding": "10.2.300", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0023", "name": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0023", "refsource": "CONFIRM", "tags": ["Vendor Advisory"]}, {"url": "http://packetstormsecurity.com/files/163857/SonicWall-NetExtender-10.2.0.300-Unquoted-Service-Path.html", "name": "http://packetstormsecurity.com/files/163857/SonicWall-NetExtender-10.2.0.300-Unquoted-Service-Path.html", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}]}
{"zdt": [{"lastseen": "2022-02-10T19:42:26", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 5.3, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.4}, "published": "2021-08-17T00:00:00", "type": "zdt", "title": "SonicWall NetExtender 10.2.0.300 - Unquoted Service Path Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5147"], "modified": "2021-08-17T00:00:00", "id": "1337DAY-ID-36653", "href": "https://0day.today/exploit/description/36653", "sourceData": "# Exploit Title: SonicWall NetExtender 10.2.0.300 - Unquoted Service Path\n# Exploit Author: shinnai\n# Software Link: https://www.sonicwall.com/products/remote-access/vpn-clients/\n# Version: 10.2.0.300\n# Tested On: Windows\n# CVE: CVE-2020-5147\n\n---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------\nTitle: SonicWall NetExtender windows client unquoted service path \nvulnerability\nVers.: 10.2.0.300\nDown.: https://www.sonicwall.com/products/remote-access/vpn-clients/\n\nAdvisory: \nhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0023\nCVE ID: CVE-2020-5147 (https://nvd.nist.gov/vuln/detail/CVE-2020-5147)\n\nURLs:\nhttps://besteffortteam.it/sonicwall-netextender-windows-client-unquoted-service-path-vulnerability/\nhttps://shinnai.altervista.org/exploits/SH-029-20210109.html\n\nDesc.:\nSonicWall NetExtender Windows client vulnerable to unquoted service path \nvulnerability, this allows a local attacker to gain elevated privileges \nin the host operating system.\nThis vulnerability impact SonicWall NetExtender Windows client version \n10.2.300 and earlier.\n\nPoc:\n\nC:\\>sc qc sonicwall_client_protection_svc\n[SC] QueryServiceConfig OPERAZIONI RIUSCITE\nNOME_SERVIZIO: sonicwall_client_protection_svc\n TIPO : 10 WIN32_OWN_PROCESS\n TIPO_AVVIO : 2 AUTO_START\n CONTROLLO_ERRORE : 1 NORMAL\n NOME_PERCORSO_BINARIO : C:\\Program Files\\SonicWall\\Client \nProtection Service\\SonicWallClientProtectionService.exe <-- Unquoted \nService Path Vulnerability\n GRUPPO_ORDINE_CARICAMENTO :\n TAG : 0\n NOME_VISUALIZZATO : SonicWall Client Protection Service\n DIPENDENZE :\n SERVICE_START_NAME : LocalSystem\nC:\\>\n\n----------------------------------------------------------------------------------------------------------------------------------------------------------------------\n\nC:\\>wmic service get name,displayname,pathname,startmode |findstr /i \n\"auto\" |findstr /i /v \"c:\\windows\\\\\" |findstr /i /v \"\"\"\nSonicWall Client Protection Service \nsonicwall_client_protection_svc C:\\Program Files\\SonicWall\\Client \nProtection Service\\SonicWallClientProtectionService.exe Auto\n\nC:\\>\n----------------------------------------------------------------------------------------------------------------------------------------------------------------------\n", "sourceHref": "https://0day.today/exploit/36653", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2021-08-17T15:41:00", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 5.3, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.4}, "published": "2021-08-17T00:00:00", "type": "packetstorm", "title": "SonicWall NetExtender 10.2.0.300 Unquoted Service Path", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-5147"], "modified": "2021-08-17T00:00:00", "id": "PACKETSTORM:163857", "href": "https://packetstormsecurity.com/files/163857/SonicWall-NetExtender-10.2.0.300-Unquoted-Service-Path.html", "sourceData": "`# Exploit Title: SonicWall NetExtender 10.2.0.300 - Unquoted Service Path \n# Exploit Author: shinnai \n# Software Link: https://www.sonicwall.com/products/remote-access/vpn-clients/ \n# Version: 10.2.0.300 \n# Tested On: Windows \n# CVE: CVE-2020-5147 \n \n--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- \nTitle: SonicWall NetExtender windows client unquoted service path \nvulnerability \nVers.: 10.2.0.300 \nDown.: https://www.sonicwall.com/products/remote-access/vpn-clients/ \n \nAdvisory: \nhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0023 \nCVE ID: CVE-2020-5147 (https://nvd.nist.gov/vuln/detail/CVE-2020-5147) \n \nURLs: \nhttps://besteffortteam.it/sonicwall-netextender-windows-client-unquoted-service-path-vulnerability/ \nhttps://shinnai.altervista.org/exploits/SH-029-20210109.html \n \nDesc.: \nSonicWall NetExtender Windows client vulnerable to unquoted service path \nvulnerability, this allows a local attacker to gain elevated privileges \nin the host operating system. \nThis vulnerability impact SonicWall NetExtender Windows client version \n10.2.300 and earlier. \n \nPoc: \n \nC:\\>sc qc sonicwall_client_protection_svc \n[SC] QueryServiceConfig OPERAZIONI RIUSCITE \nNOME_SERVIZIO: sonicwall_client_protection_svc \nTIPO : 10 WIN32_OWN_PROCESS \nTIPO_AVVIO : 2 AUTO_START \nCONTROLLO_ERRORE : 1 NORMAL \nNOME_PERCORSO_BINARIO : C:\\Program Files\\SonicWall\\Client \nProtection Service\\SonicWallClientProtectionService.exe <-- Unquoted \nService Path Vulnerability \nGRUPPO_ORDINE_CARICAMENTO : \nTAG : 0 \nNOME_VISUALIZZATO : SonicWall Client Protection Service \nDIPENDENZE : \nSERVICE_START_NAME : LocalSystem \nC:\\> \n \n---------------------------------------------------------------------------------------------------------------------------------------------------------------------- \n \nC:\\>wmic service get name,displayname,pathname,startmode |findstr /i \n\"auto\" |findstr /i /v \"c:\\windows\\\\\" |findstr /i /v \"\"\" \nSonicWall Client Protection Service \nsonicwall_client_protection_svc C:\\Program Files\\SonicWall\\Client \nProtection Service\\SonicWallClientProtectionService.exe Auto \n \nC:\\> \n---------------------------------------------------------------------------------------------------------------------------------------------------------------------- \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/163857/sonicwallextender1020300-unquotedpath.txt", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2022-05-13T17:36:06", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.4}, "published": "2021-08-17T00:00:00", "type": "exploitdb", "title": "SonicWall NetExtender 10.2.0.300 - Unquoted Service Path", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2020-5147", "CVE-2020-5147"], "modified": "2021-08-17T00:00:00", "id": "EDB-ID:50212", "href": "https://www.exploit-db.com/exploits/50212", "sourceData": "# Exploit Title: SonicWall NetExtender 10.2.0.300 - Unquoted Service Path\r\n# Exploit Author: shinnai\r\n# Software Link: https://www.sonicwall.com/products/remote-access/vpn-clients/\r\n# Version: 10.2.0.300\r\n# Tested On: Windows\r\n# CVE: CVE-2020-5147\r\n\r\n---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------\r\nTitle: SonicWall NetExtender windows client unquoted service path \r\nvulnerability\r\nVers.: 10.2.0.300\r\nDown.: https://www.sonicwall.com/products/remote-access/vpn-clients/\r\n\r\nAdvisory: \r\nhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0023\r\nCVE ID: CVE-2020-5147 (https://nvd.nist.gov/vuln/detail/CVE-2020-5147)\r\n\r\nURLs:\r\nhttps://besteffortteam.it/sonicwall-netextender-windows-client-unquoted-service-path-vulnerability/\r\nhttps://shinnai.altervista.org/exploits/SH-029-20210109.html\r\n\r\nDesc.:\r\nSonicWall NetExtender Windows client vulnerable to unquoted service path \r\nvulnerability, this allows a local attacker to gain elevated privileges \r\nin the host operating system.\r\nThis vulnerability impact SonicWall NetExtender Windows client version \r\n10.2.300 and earlier.\r\n\r\nPoc:\r\n\r\nC:\\>sc qc sonicwall_client_protection_svc\r\n[SC] QueryServiceConfig OPERAZIONI RIUSCITE\r\nNOME_SERVIZIO: sonicwall_client_protection_svc\r\n TIPO : 10 WIN32_OWN_PROCESS\r\n TIPO_AVVIO : 2 AUTO_START\r\n CONTROLLO_ERRORE : 1 NORMAL\r\n NOME_PERCORSO_BINARIO : C:\\Program Files\\SonicWall\\Client \r\nProtection Service\\SonicWallClientProtectionService.exe <-- Unquoted \r\nService Path Vulnerability\r\n GRUPPO_ORDINE_CARICAMENTO :\r\n TAG : 0\r\n NOME_VISUALIZZATO : SonicWall Client Protection Service\r\n DIPENDENZE :\r\n SERVICE_START_NAME : LocalSystem\r\nC:\\>\r\n\r\n----------------------------------------------------------------------------------------------------------------------------------------------------------------------\r\n\r\nC:\\>wmic service get name,displayname,pathname,startmode |findstr /i \r\n\"auto\" |findstr /i /v \"c:\\windows\\\\\" |findstr /i /v \"\"\"\r\nSonicWall Client Protection Service \r\nsonicwall_client_protection_svc C:\\Program Files\\SonicWall\\Client \r\nProtection Service\\SonicWallClientProtectionService.exe Auto\r\n\r\nC:\\>\r\n----------------------------------------------------------------------------------------------------------------------------------------------------------------------", "sourceHref": "https://www.exploit-db.com/download/50212", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}]}
CVE-2020-5147
