A significant number of SonicWall firewalls may be affected by a critical vulnerability that can be exploited for denial-of-service (DoS) attacks and possibly arbitrary code execution.
The vulnerability, identified as CVE-2020-5135, impacts various versions of SonicOS, the operating system powering SonicWall firewalls. The vendor has credited researchers at Tripwire and Positive Technologies for finding the security bug.
Tripwire discovered the flaw, which it described as a stack-based buffer overflow, in the SonicWall Network Security appliance (NSa), a firewall solution designed for medium size networks. The product also includes VPN capabilities that can be used by organizations to ensure secure remote access for employees.
Tripwire explained in a blog post that the vulnerability exists in the HTTP/HTTPS service that is used for device management and VPN access. An unauthenticated attacker can exploit it by sending specially crafted HTTP requests with a custom protocol handler.
While the security hole can definitely be exploited for DoS attacks, Tripwire says arbitrary code execution is “likely feasible” as the company has “confirmed the ability to divert execution flow through stack corruption.”
Even for DoS attacks, the vulnerability can pose a serious threat to organizations as an attacker can leverage it to force a targeted firewall to reboot.
“An attacker can keep the system rebooting by continuously sending the malicious request,” Tripwire’s Craig Young told SecurityWeek. “You could imagine an extortion scheme where someone threatens to keep your VPN workforce offline until you pay them to stop attacking. Particularly during COVID, it could be difficult for the organization to patch a device while under attack as it may require physical device access and prolonged downtime.”
Nikita Abramov, application analysis specialist at Positive Technologies, explained that a DoS attack leads to the “collapse” of the main firewall application, which he says is responsible for all the logic work, including the web interface, command-line interface and other services.
Tripwire said it identified nearly 800,000 exposed SonicWall systems on Shodan, but Young clarified that this list likely also includes devices that are not vulnerable.
Positive Technologies, on the other hand, told SecurityWeek that it identified roughly 460,000 vulnerable devices.
SonicWall has released an advisory that provides information on affected SonicOS versions as well as the availability of updates that should patch CVE-2020-5135.
Positive Technologies has also been credited by SonicWall this week for finding a dozen other vulnerabilities in SonicOS, including several high-severity DoS flaws that can be exploited remotely without authentication to crash a firewall, and less severe DoS, XSS, brute forcing, and admin username enumeration issues.
UPDATE: SonicWall has provided the following statement:
“SonicWall maintains the highest standards to ensure the integrity of its products, solutions, services, technology and any related IP. As such, the company takes every disclosure or discovery seriously.
“SonicWall was contacted by a third-party research team regarding issues related to SonicWall next-generation virtual firewall models (6.5.4v) that could potentially result in Denial-of-Service (DoS) attacks and/or cross-site scripting (XSS) vulnerabilities.
“Immediately upon discovery, SonicWall researchers conducted extensive testing and code review to confirm the third-party research. This analysis lead to the discovery of additional unique vulnerabilities to virtual and hardware appliances requiring Common Vulnerabilities and Exposures (CVE) listings based on the Common Vulnerability Scoring System (CVSS). The PSIRT team worked to duplicate the issues and develop, test and release patches for the affected products. At this time, SonicWall is not aware of a vulnerability that has been exploited or that any customer has been impacted.”
Related: Serious Vulnerabilities Expose SonicWall SMA Appliances to Remote Attacks