Almost 800,000 SonicWall VPN appliances online are vulnerable to CVE-2020-5135

The Tripwire VERT security team spotted almost 800,000 SonicWall VPN appliances exposed online that are vulnerable to the CVE-2020-5135 RCE flaw.

Security experts from the Tripwire VERT security team have discovered 795,357 SonicWall VPN appliances that were exposed online that are vulnerable to the CVE-2020-5135 RCE flaw.

“A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. This vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.” reads the advisory published by SonicWall.

The CVE-2020-5135 is a stack-based buffer overflow that affects the SonicWall Network Security Appliance (NSA). The vulnerability can be exploited by an unauthenticated HTTP request involving a custom protocol handler.

The flaw resides in the HTTP/HTTPS service used for product management as well as SSL VPN remote access.

“An unskilled attacker can use this flaw to cause a persistent denial of service condition. Tripwire VERT has also confirmed the ability to divert execution flow through stack corruption indicating that a code execution exploit is likely feasible.” reads the analysis published by Tripwire. “This flaw exists pre-authentication and within a component (SSLVPN) which is typically exposed to the public Internet.”

This vulnerability is very dangerous, especially during the COVID-19 pandemic because SonicWall NSA devices are used as firewalls and SSL VPN portals allow employees to access corporate networks.

The vulnerability affects the following versions:

• SonicOS 6.5.4.7-79n and earlier
• SonicOS 6.5.1.11-4n and earlier
• SonicOS 6.0.5.3-93o and earlier
• SonicOSv 6.5.4.4-44v-21-794 and earlier
• SonicOS 7.0.0.0-1

Security experts from Tenable have published a post detailing the flaw, they also shared Shodan dorks for searching SonicWall VPNs.

“Our own Shodan search for vulnerable SonicWall devices led us to two specific search queries:

• product:”SonicWALL firewall http config”
• product:”SonicWALL SSL-VPN http proxy”

The combined results from Shodan using these search queries led to a total of 795,674 hosts. In the VERT advisory, they specified that 795,357 hosts were vulnerable.” wrote Tenable.

At the time of this post, the first search query provides 448,400 results, the second one 24,149, most of the vulnerable devices are in the United States.

SonicWall has already released updates to address the flaw, the company also recommends to disconnect SSL VPN portals from the Internet as temporary mitigation before installing one of the following versions:

• SonicOS 6.5.4.7-83n
• SonicOS 6.5.1.12-1n
• SonicOS 6.0.5.3-94o
• SonicOS 6.5.4.v-21s-987
• Gen 7 7.0.0.0-2 and onwards

The CVE-2020-5135 is a critical vulnerability rated as 9.4 out of 10, it could be easily exploited by unauthenticated attackers.

At the time this post was published, no PoC exploit code was available for the CVE-2020-5135 flaw.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2020-5135)

[adrotate banner=”5″]

[adrotate banner=”13″]