UPDATE--There is a critical remotely exploitable vulnerability in several versions of SonicWall’s SonicOS software that could allow an attacker to run arbitrary code on vulnerable appliances.
The recently disclosed vulnerability (CVE-2020-5135) is a stack buffer overflow and it can be used to cause a denial of service condition easily, though the code execution potential is more complicated.
“The flaw can be triggered by an unauthenticated HTTP request involving a custom protocol handler. The vulnerability exists within the HTTP/HTTPS service used for product management as well as SSL VPN remote access,” an advisory from Craig Young at Tripwire, who discovered the vulnerability, says.
“An unskilled attacker can use this flaw to cause a persistent denial of service condition. Tripwire VERT has also confirmed the ability to divert execution flow through stack corruption indicating that a code execution exploit is likely feasible. This flaw exists pre-authentication and within a component (SSLVPN) which is typically exposed to the public Internet.”
The vulnerability is particularly worrisome given that the affected appliances often are used for remote access via the SSL VPN functionality. An attacker who is able to compromise a VPN appliance would have a highly privileged position in the target network and the ability to discover other assets and potential targets. This year has seen a steady flow of vulnerabilities in VPNs, the most serious one being a flaw in the Pulse Secure VPN disclosed in April. The company patched the vulnerability, but several months later the Cybersecurity and Infrastructure Security Agency warned that attackers affiliated with the Chinese Ministry of State Security were actively targeting it.
“CISA has conducted multiple incident response engagements at Federal Government and commercial entities where the threat actors exploited CVE-2019-11510—an arbitrary file reading vulnerability affecting Pulse Secure VPN appliances—to gain access to victim networks. Although Pulse Secure released patches for CVE-2019-11510 in April 2019, CISA observed incidents where compromised Microsoft Entra ID credentials were used months after the victim organization patched their VPN appliance,” the CISA advisory says.
The SonicWall bug affects a number of different versions of the SonicOS software, which runs on the company’s firewall appliances. Affected versions include SonicOS 220.127.116.11-79n and earlier, SonicOS 18.104.22.168-4n and earlier, SonicOS 22.214.171.124-93o and earlier, SonicOSv 126.96.36.199-44v-21-794 and earlier, and SonicOS 188.8.131.52-1. SonicWall has released updated versions of the affected software that include fixes for the vulnerability.
SonicWall officials said they have not seen any indications that the bug has been exploited in the wild yet.
"Immediately upon discovery, SonicWall researchers conducted extensive testing and code review to confirm the third-party research. This analysis lead to the discovery of additional unique vulnerabilities to virtual and hardware appliances requiring Common Vulnerabilities and Exposures (CVE) listings based on the Common Vulnerability Scoring System (CVSS). The PSIRT team worked to duplicate the issues and develop, test and release patches for the affected products. At this time, SonicWall is not aware of a vulnerability that has been exploited or that any customer has been impacted," the company said in a statement.
This story was updated on Oct. 16 to add SonicWall's statement.