Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

CVE-2020-5135: Critical SonicWall VPN Portal Stack-based Buffer Overflow Vulnerability

Researchers disclose a critical pre-authentication vulnerability in the SonicWall VPN Portal that is easily exploitable.

Background

On October 12, SonicWall published a security advisory (SNWLID-2020-0010) to address a critical vulnerability in SonicOS that could lead to remote code execution (RCE). The vulnerability was discovered by security researchers at Tripwire’s Vulnerability and Exposure Research Team (VERT).

Analysis

CVE-2020-5135 is a stack-based buffer overflow vulnerability in the VPN Portal of SonicWall’s Network Security Appliance. A remote, unauthenticated attacker could exploit the vulnerability by sending a specially crafted HTTP request with a custom protocol handler to a vulnerable device. At a minimum, successful exploitation would result in a denial of service condition against the exploited device, exhausting its resources.

Remote code execution “likely feasible” but not without additional footwork

The researchers added that they were able to “divert execution flow through stack corruption” which means achieving RCE is “likely feasible.” In an interview with Threatpost, Craig Young of VERT noted that to gain RCE, an attacker would also need “an information leak and a bit of analysis.”

Hundreds of thousands of devices may be impacted

According to VERT, nearly 800,000 hosts may be affected. This is based on a Shodan search for the HTTP server banner, which was not provided.

Our own Shodan search for vulnerable SonicWall devices led us to two specific search queries:

The combined results from Shodan using these search queries led to a total of 795,674 hosts. In the VERT advisory, they specified that 795,357 hosts were vulnerable.

Example output from two Shodan search results for SonicWall firewall and VPNs

The Tenable Security Response Team was not able to independently confirm the hosts found on Shodan were indeed affected by this particular vulnerability. The hosts discovered with our Shodan queries are indicative that they are internet facing SonicWall servers, their respective versions could not be determined and thus it is unclear if they are vulnerable.

SSL VPN vulnerabilities: the gift that keeps on giving

Over the last year, cybercriminals and threat actors have been steadily leveraging vulnerabilities in a variety of SSL VPN solutions. As VPNs are found at the edge of a network and in most cases, publicly accessible, they are an enticing target for attackers. Exploitation of these devices can allow an attacker to pivot to an internal network and begin targeting additional hosts. Some notable vulnerabilities in VPN devices over the past year include:

CVE Vendor/Product CVSSv3 Tenable VPR*
CVE-2018-13379 Fortinet FortiOS SSL VPN 9.8 9.8
CVE-2019-11510 Pulse Connect Secure SSL VPN 10.0 10.0
CVE-2019-19781 Citrix NetScaler ADC 9.8 9.9
CVE-2019-1579 Palo Alto Networks Global Protect SSL VPN 9.8 9.7

*Please note Tenable VPR scores are calculated nightly. This blog post was published on October 15 and reflects VPR at that time.

In the Cybersecurity Infrastructure Security Agency (CISA) alert (AA20-133A) entitled “Top 10 Routinely Exploited Vulnerabilities,” both CVE-2019-11510 and CVE-2019-1978 are featured as two of the most routinely exploited vulnerabilities in 2020.

In subsequent alerts from CISA, they’ve observed foreign threat actors utilizing several SSL VPN vulnerabilities as part of their attacks. On October 9, CISA issued a joint cybersecurity advisory with the Federal Bureau of Investigation regarding advanced persistent threat (APT) group activity, which highlighted the usage of CVE-2018-13379, CVE-2019-11510, CVE-2019-19781 as part of APT toolkits to gain initial access into their targeted environments.

With CVE-2020-5135, attackers potentially have another SSL VPN vulnerability in their respective toolboxes to target vulnerable systems.

SonicWall patched 10 additional vulnerabilities

In total, SonicWall patched 11 vulnerabilities on October 12. The following table lists the remaining 10 vulnerabilities that were patched:

CVE Advisory ID Type CVSSv3
CVE-2020-5133 SNWLID-2020-0008 Unauthenticated Buffer Overflow 8.2
CVE-2020-5134 SNWLID-2020-0009 Out-of-Bound Invalid File Reference 6.5
CVE-2020-5136 SNWLID-2020-0011 Authenticated Buffer Overflow 6.5
CVE-2020-5137 SNWLID-2020-0012 Unauthenticated Buffer Overflow 7.5
CVE-2020-5138 SNWLID-2020-0013 Unauthenticated Heap Overflow 7.5
CVE-2020-5139 SNWLID-2020-0014 Unauthenticated Release of Invalid Pointer 7.5
CVE-2020-5140 SNWLID-2020-0015 Unauthenticated Malicious HTTP Request 7.5
CVE-2020-5141 SNWLID-2020-0016 Unauthenticated Brute Force 6.5
CVE-2020-5142 SNWLID-2020-0017 Stored Cross-Site Scripting (XSS) 6.5
CVE-2020-5143 SNWLID-2020-0018 Administrator Username Enumeration 5.3

All of these vulnerabilities were discovered by security researcher Nikita Abramov of Positive Technologies Offensive Team. Abramov is credited with discovering CVE-2020-5135 along with Craig Young of VERT.

Proof of concept

At the time this blog post was published, no PoC code was available for any of the vulnerabilities, including CVE-2020-5135.

Solution

SonicWall published patches for all 11 vulnerabilities. The following table lists the affected versions along with their associated fixed version. Organizations are strongly encouraged to upgrade to a fixed version as soon as possible.

Affected Versions Fixed Versions
SonicOS 6.5.4.7-79n and below SonicOS 6.5.4.7-83n
SonicOS 6.5.1.11 and below SonicOS 6.5.1.12-1n
SonicOS 6.0.5.3-93o and below SonicOS 6.0.5.3-94o
SonicOSv 6.5.4.4-44v-21-794 and below SonicOS 6.5.4.v-21s-987
SonicOS 7.0.0.0-1 SonicOS 7.0.0.0-2 and above

If upgrading is not feasible at this time, a temporary workaround, while inconvenient, would be to ensure the SonicWall SSL VPN portal has been disabled.

Identifying affected systems

A list of Tenable plugins to identify CVE-2020-5135 will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now
Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Request a demo of Tenable.ot

Get the Operational Technology Security You Need.
Reduce the Risk You Don’t.