SonicWall finally fixed a flaw resulting from a partially patched 2020 zero-day

Pierluigi Paganini June 23, 2021

A critical vulnerability, tracked as CVE-2021-20019, in SonicWall VPN appliances was only partially patched last year and could allow a remote attacker to steal sensitive data.

In October last year, experts reported a critical stack-based Buffer Overflow vulnerability, tracked as CVE-2020-5135, in SonicWall Network Security Appliance (NSA) appliances.

At the time of the discovery, security experts from the Tripwire VERT security team discovered 795,357 SonicWall VPN appliances that were exposed online that were vulnerable to the CVE-2020-5135 RCE flaw.

“A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. This vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.” reads the advisory published by SonicWall.

The vulnerability can be exploited by an unauthenticated HTTP request involving a custom protocol handler. The flaw resides in the HTTP/HTTPS service used for product management as well as SSL VPN remote access.

“An unskilled attacker can use this flaw to cause a persistent denial of service condition. Tripwire VERT has also confirmed the ability to divert execution flow through stack corruption indicating that a code execution exploit is likely feasible.” reads the analysis published by Tripwire. “This flaw exists pre-authentication and within a component (SSLVPN) which is typically exposed to the public Internet.”

This vulnerability is very dangerous, especially during the COVID-19 pandemic because SonicWall NSA devices are used as firewalls and SSL VPN portals allow employees to access corporate networks.

The vulnerability affects the following versions:

  • SonicOS 6.5.4.7-79n and earlier
  • SonicOS 6.5.1.11-4n and earlier
  • SonicOS 6.0.5.3-93o and earlier
  • SonicOSv 6.5.4.4-44v-21-794 and earlier
  • SonicOS 7.0.0.0-1

Security experts from Tenable published a post detailing the flaw, they also shared Shodan dorks for searching SonicWall VPNs.

“Our own Shodan search for vulnerable SonicWall devices led us to two specific search queries:

Now experts discovered that the flaw was only partially fixed last year, the company completely fixed the issue in an update rolled out to SonicOS on June 22. Re

However, experts are not aware of attacks in the wild exploiting the vulnerability.

“SonicWall physical and virtual firewalls running certain versions of SonicOS may contain a vulnerability where the HTTP server response leaks partial memory. This can potentially lead to an internal sensitive data disclosure vulnerability.” reads the advisory published by the security vendor. “At this time, there is no indication that the discovered vulnerability is being exploited in the wild.”

After SonicWall rolled out a patch in October 2020, Tripwire researchers discovered that the flaw was only partially addressed potentially exposing users to a memory leak.

“On October 9, SonicWall confirmed my expectation that this was the result of an improper fix for CVE-2020-5135 and told me that the patched firmware versions had already started to become available on mysonicwall.com as well as via Azure. Six days after I had initially reported the botched fix, SonicWall emailed me with a link to the now published advisory and added that they’d let me know when the memory dump issue is resolved and ready for release.” reads the post published by Tripwire. “As a one- or two-line fix with minimal impact, I had expected that a patch would probably come out quickly but, fast-forward to March and I still had not heard back.I reconnected with their PSIRT on March 1, 2021 for an update, but ultimately it took until well into June before an advisory could be released.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment