Security Notice: SonicWall Global VPN Client DLL Search Order Hijacking via Application Installer

gan3sh3 · March 5, 2025, 6:50am

Security Notice just came out. Finished confirming all VPN clients are up to date.

The notice (linked below), if you scroll down to Resolution, says, “Download the script available in the MySonicWall portal under the download section for Global VPN Client and double click on the script file, which will safely remove the affected folders from the respective Windows clients.” Can someone help me locate where this script file is, I’m not finding it in the portal or the download page.

gan3sh3 · March 5, 2025, 6:50am

To be safe I remove the outdated version, run the script, then install the latest version. I just finished up with the majority of clients and everything is going fine.

I’d run the script because the RarSFX folder, which is left behind from the previous installation can be manipulated by bad actors.

kerubi · March 5, 2025, 6:50am

It says in the advisory that the newest version (4.10.7.1424) fixes the issue. It is available from the download center.

There is also the ”installcleaner.bat” that I assume to be the script. Use at your own risk: https://software.sonicwall.com/GlobalVPNClient/installCleaner.bat

BackupFailed · March 5, 2025, 6:50am

Oh wait, do we have to cleanup appdata folder, when a previous version of GVC was installed, to fully fix this vulnerability?

I just updated GVC to the latest version.

Thanks for the info!

Ok_Appointment_3249 · March 5, 2025, 6:50am

I think, this is false positive alarm

walker_AU · March 5, 2025, 6:50am

The “InstallCleaner.bat” is not 100% effective. It will only delete the offending folder for the user that’s running the script.

If GVC was installed by any other user, you’re not covered.

Use this Powershell script instead:

$users = Get-ChildItem C:\Users
foreach ($user in $users){
$folder = "$($user.fullname)\AppData\Local\Temp\Rarsfx*"
   If (Test-Path $folder) {
     Remove-Item $folder -Recurse -Force -ErrorAction silentlycontinue
   }
}

gan3sh3 · March 5, 2025, 6:50am

Definitely run the script to be on the safe side. There’s nothing to worry about with the script, it’s fine. “If” the RarSFX folder is not deleted there’s an installer file left behind that can be manipulated. So, makes sense to play on the safe side and run the script.

Can copy this to a text file and run, super easy.

========> Start of script (don’t copy)

u/echo off

echo=

set /A status= 0

:start

if exist %tmp%\RarSFX* (

echo The RarSFX folder exist, start deleting the folder and its contents.

echo please wait...

del /s /q %tmp%\\RarSFX\*.\*

for /d %%i in ("%tmp%\\RarSFX\*") do ( rd /s /q "%%\~i")

set /A status+= 1 

goto start

) else if “%status%” GTR “0” (

echo All RarSFX folders were deleted successfully!

echo %date%  %time%

) else (

echo RarSFX folder does not exist, no need to delete.

)

echo=

pause

========> End of script (don’t copy)

kerubi · March 5, 2025, 6:50am

I don’t think so, but now that you say I guess I have to investigate

InactiveUserDetector · March 5, 2025, 6:50am

echo has not had any activity for over 5512 days,
They probably won’t respond to this mention

^Bot ^by ^AnnoyingRain5, ^message ^him ^with ^any ^questions ^or ^concerns