SonicWall finally fixed a flaw resulting from a partially patched 2020 zero-day

A critical vulnerability, tracked as CVE-2021-20019, in SonicWall VPN appliances was only partially patched last year and could allow a remote attacker to steal sensitive data.

In October last year, experts reported a critical stack-based Buffer Overflow vulnerability, tracked as CVE-2020-5135, in SonicWall Network Security Appliance (NSA) appliances.

At the time of the discovery, security experts from the Tripwire VERT security team discovered 795,357 SonicWall VPN appliances that were exposed online that were vulnerable to the CVE-2020-5135 RCE flaw.

“A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. This vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.” reads the advisory published by SonicWall.

The vulnerability can be exploited by an unauthenticated HTTP request involving a custom protocol handler. The flaw resides in the HTTP/HTTPS service used for product management as well as SSL VPN remote access.

“An unskilled attacker can use this flaw to cause a persistent denial of service condition. Tripwire VERT has also confirmed the ability to divert execution flow through stack corruption indicating that a code execution exploit is likely feasible.” reads the analysis published by Tripwire. “This flaw exists pre-authentication and within a component (SSLVPN) which is typically exposed to the public Internet.”

This vulnerability is very dangerous, especially during the COVID-19 pandemic because SonicWall NSA devices are used as firewalls and SSL VPN portals allow employees to access corporate networks.

The vulnerability affects the following versions:

SonicOS 6.5.4.7-79n and earlier
SonicOS 6.5.1.11-4n and earlier
SonicOS 6.0.5.3-93o and earlier
SonicOSv 6.5.4.4-44v-21-794 and earlier
SonicOS 7.0.0.0-1

Security experts from Tenable published a post detailing the flaw, they also shared Shodan dorks for searching SonicWall VPNs.

“Our own Shodan search for vulnerable SonicWall devices led us to two specific search queries:

Now experts discovered that the flaw was only partially fixed last year, the company completely fixed the issue in an update rolled out to SonicOS on June 22. Re

However, experts are not aware of attacks in the wild exploiting the vulnerability.

“SonicWall physical and virtual firewalls running certain versions of SonicOS may contain a vulnerability where the HTTP server response leaks partial memory. This can potentially lead to an internal sensitive data disclosure vulnerability.” reads the advisory published by the security vendor. “At this time, there is no indication that the discovered vulnerability is being exploited in the wild.”

After SonicWall rolled out a patch in October 2020, Tripwire researchers discovered that the flaw was only partially addressed potentially exposing users to a memory leak.

“On October 9, SonicWall confirmed my expectation that this was the result of an improper fix for CVE-2020-5135 and told me that the patched firmware versions had already started to become available on mysonicwall.com as well as via Azure. Six days after I had initially reported the botched fix, SonicWall emailed me with a link to the now published advisory and added that they’d let me know when the memory dump issue is resolved and ready for release.” reads the post published by Tripwire. “As a one- or two-line fix with minimal impact, I had expected that a patch would probably come out quickly but, fast-forward to March and I still had not heard back.I reconnected with their PSIRT on March 1, 2021 for an update, but ultimately it took until well into June before an advisory could be released.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.