Earlier this week SonicWall patched 11 vulnerabilities affecting its Network Security Appliance (NSA). Among those is CVE-2020-5135, a critical stack-based buffer overflow vulnerability in the appliances’ VPN Portal that could be exploited to cause denial of service and possibly remote code execution.
The SonicWall NSAs are next-generation firewall appliances, with a sandbox, an intrusion prevention system, SSL/TLS decryption and inspection capabilities, network-based malware protection, and VPN capabilities.
CVE-2020-5135 was discovered by Nikita Abramov of Positive Technologies and Craig Young of Tripwire’s Vulnerability and Exposures Research Team (VERT), and has been confirmed to affect:
- SonicOS 18.104.22.168-79n and earlier
- SonicOS 22.214.171.124-4n and earlier
- SonicOS 126.96.36.199-93o and earlier
- SonicOSv 188.8.131.52-44v-21-794 and earlier
- SonicOS 184.108.40.206-1
“The flaw can be triggered by an unauthenticated HTTP request involving a custom protocol handler. The vulnerability exists within the HTTP/HTTPS service used for product management as well as SSL VPN remote access,” Tripwire VERT explained.
“This flaw exists pre-authentication and within a component (SSLVPN) which is typically exposed to the public Internet.”
By using Shodan, both Tripwire and Tenable researchers discovered nearly 800,000 SonicWall NSA devices with the affected HTTP server banner exposed on the internet. Though, as the latter noted, it is impossible to determine the actual number of vulnerable devices because their respective versions could not be determined (i.e., some may already have been patched).
A persistent DoS condition is apparently easy for attackers to achieve, as it requires no prior authentication and can be triggered by sending a specially crafted request to the vulnerable service/SSL VPN portal.
VERT says that a code execution exploit is “likely feasible,” though it’s a bit more difficult to pull off.
Mitigation and remediation
There is currently no evidence that the flaw is being actively exploited nor is there public PoC exploitation code available, so admins have a window of opportunity to upgrade affected devices.
Aside from implementing the offered update, they can alternatively disconnect the SSL VPN portal from the internet, though this action does not mitigate the risk of exploitation of some of the other flaws fixed by the latest updates.