SonicWall VPN client vulnerable

The NetExtender for SSL-VPNs client software from SonicWall contains several security holes by means of which attackers could infect or crash a system using specially crafted web pages. The vulnerabilities result from buffer overflows in various functions of the NELaunchCtrl (NELaunchX.dll) ActiveX control and can be exploited to inject and execute malicious code in a Windows system. In addition, the FileDelete function in the WebCacheCleaner control is vulnerable, allowing attackers to delete arbitrary files.

The vulnerabilities have been confirmed for WebCacheCleaner version 1.3.0.3 and for NetLaunchCtrl 2.1.0.49. However, earlier versions are also likely to be affected. According to the relevant advisories the vulnerabilities have been resolved in version 2.5 of the client software, which is shipped with SonicWall NetExtender 4000 and 2000. Patch Build 2.1 is designed to resolve the issue in SonicWall NetExtender 200. Clients need to connect to a NetExtender VPN appliance to obtain the updated control.

Alternatively, the US-CERT recommends setting the kill bit for the control to prevent Internet Explorer from loading it. This can be done by saving the following text as a .reg file and by subsequently importing this file from the context menu in Windows Explorer:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{6EEFD7B1-B26C-440D-B55A-1EC677189F30}]
"Compatibility Flags"=dword:00000400

ActiveX can, of course, also be disabled completely.

See also:

• Update for NetExtender SSL-VPNs, SonicWall support pages
• SonicWall etExtender NELaunchCtrl ActiveX control stack buffer overflow, US-CERT vulnerability note
• Multiple vulnerabilities in SonicWALL SSL-VPN Client, SEC Consult security advisory

(mba)