cbcvebase.
CVE-2021-20020
published 2021-04-10

CVE-2021-20020: A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.73%
88.5th percentile
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.

Affected

3 ranges
VendorProductVersion rangeFixed in
sonicwallglobal_management_system
sonicwallglobal_management_system
sonicwallgms

Detection & IOCsextracted from sources · hover to see the quote

path/var/lib/infobright_pg/pg_data/pg_hba.conf
path/etc/ld.so.preload
filenamesgms-rce.py
filenamepwn.so
filenamelpe.so
path/var/lib/infobright_pg/pg_data/base
path/var/lib/infobright_pg/pg_data/pg_xlog
commandpsql -h <target> -p 5029 -U postgres -c "SELECT version()"
processlinux/postgres/postgres_payload
bytes
\x7fELF|.got|.plt|.shstrtab|.dynamic|.text|.init|mmap|mprotect|memcpy|dup2|libc.so.6
  • Detect unauthenticated connections to PostgreSQL on port 5029/tcp from external/untrusted hosts; pg_hba.conf configured with 'trust' authentication for all addresses (0.0.0.0/0) is the root cause.
  • Alert on creation or modification of /etc/ld.so.preload by the postgres user, which is the privilege escalation mechanism used to achieve root.
  • Monitor for ELF binary artifacts (shared objects) written into PostgreSQL data directories (/var/lib/infobright_pg/pg_data/base or pg_xlog); grep for ELF headers and common ROP/shellcode strings as an indicator of postgres_payload delivery.
  • Alert on /bin/ping being spawned as a child process of the postgres process; this is the execution vector used by the exploit's shared-object preload technique.
  • Detect any file creation under /etc by the postgres user (uid=104), as the world-writable /etc directory is abused to drop ld.so.preload for privilege escalation.
  • Monitor disk-level writes by the postgres process to detect payload staging in PostgreSQL data directories.
  • ·The vulnerable version is GMS 9.3.9314; the fix is GMS 9.3 MAR-22474.1-HotFix released 2021-04-07. Ensure the hotfix is applied.
  • ·The PostgreSQL instance uses 'trust' authentication for all hosts on all databases, meaning no password is required to connect as any user including postgres; network-level blocking of port 5029/tcp from untrusted hosts is a critical compensating control.
  • ·The /etc directory is world-writable (drwxrwxrwt), which is the prerequisite for the local privilege escalation to root via ld.so.preload; this is an abnormal filesystem permission that should be audited.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.