A critical security bug in the SonicWall VPN portal can be used to crash the device and prevent users from connecting to corporate resources. It could also open the door to remote code execution (RCE), researchers said.
The flaw (CVE-2020-5135) is a stack-based buffer overflow in the SonicWall Network Security Appliance (NSA). According to researchers who discovered it, the flaw exists within the HTTP/HTTPS service used for product management and SSL VPN remote access.
An unskilled attacker could trigger a persistent denial-of-service condition using an unauthenticated HTTP request involving a custom protocol handler, wrote Craig Young, a computer security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT), in a Tuesday analysis. But the damage could go further.
“VPN bugs are tremendously dangerous for a bunch of reasons,” he told Threatpost. “These systems expose entry points into sensitive networks and there is very little in the way of security introspection tools for system admins to recognize when a breach has occurred. Attackers can breach a VPN and then spend months mapping out a target network before deploying ransomware or making extortion demands.”
Adding insult to injury, this particular flaw exists in a pre-authentication routine, and within a component (SSL VPN) which is typically exposed to the public internet.
“The most notable aspect of this vulnerability is that the VPN portal can be exploited without knowing a username or password,” Young told Threatpost. “It is trivial to force a system to reboot…An attacker can simply send crafted requests to the SonicWALL HTTP(S) service and trigger memory corruption.”
However, he added that a code-execution attack does require a bit more work.
“Tripwire VERT has also confirmed the ability to divert execution flow through stack corruption, indicating that a code-execution exploit is likely feasible,” he wrote, adding in an interview that an attacker would need to also leverage an information leak and a bit of analysis to pull it off.
That said, “If someone takes the time to prepare RCE payloads, they could likely create a sizeable botnet through a worm,” he said.
Nikita Abramov, application analysis specialist at Positive Technologies (PT), and Young are credited with finding the flaw.
There’s no sign of exploitation so far, Young said, but a Shodan search for the affected HTTP server banner indicated 795,357 vulnerable hosts as of Tuesday, he said. PT meanwhile counted around 460,000 vulnerable devices, leaving a lack of consensus.
“PT believes 460,000 is a more accurate figure: Shodan shows both ports 443 and 80. In total, there are about 800,000 devices, but there is a re-address from port 80 to port 443 to the same device, so it’s incorrect to count them together,” the firm told Threatpost. “It’s possible some companies have installed patches already; there’s no sure-fire way to indicate if a device is vulnerable without conducting an attack.”
SonicWall has issued a patch; SSL VPN portals may be disconnected from the internet as a temporary mitigation before the patch is applied.
“SonicWall was contacted by a third-party research team regarding issues related to SonicWall next-generation virtual firewall models (6.5.4v) that could potentially result in Denial-of-Service (DoS) attacks and/or cross-site scripting (XSS) vulnerabilities,” the company said in a statement to Threatpost.
“Immediately upon discovery, SonicWall researchers conducted extensive testing and code review to confirm the third-party research,” it continued. “This analysis lead to the discovery of additional unique vulnerabilities to virtual and hardware appliances requiring Common Vulnerabilities and Exposures (CVE) listings based on the Common Vulnerability Scoring System (CVSS). The PSIRT team worked to duplicate the issues and develop, test and release patches for the affected products. At this time, SonicWall is not aware of a vulnerability that has been exploited or that any customer has been impacted.”
It added, “SonicWall maintains the highest standards to ensure the integrity of its products, solutions, services, technology and any related IP. As such, the company takes every disclosure or discovery seriously.”
The following versions are vulnerable: SonicOS 22.214.171.124-79n and earlier; SonicOS 126.96.36.199-4n and earlier; SonicOS 188.8.131.52-93o and earlier; SonicOSv 184.108.40.206-44v-21-794 and earlier; and SonicOS 220.127.116.11-1.
“Organizations exposing VPN portals to the web should not consider these systems as impenetrable fortresses,” Young told Threatpost. “If the last 18 months has shown anything, it is that enterprise VPN firewalls can be just as insecure as a cheap home router. It is crucial to employ a tiered security model to recognize and respond to unauthorized activity.”
The update from SonicWall actually patches 11 flaws found by Positive Technologies experts, including one vulnerability independently and in parallel discovered by another company (CVE-2020-5135).
Of note is CVE-2020-5143, which allows criminals to try existing logins in the system, after which they can be brute-forced.
“It essentially makes the brute force easier: First, attackers brute-force usernames (it’s called user enumeration) and know for sure that they exist, and after that they brute-force passwords for these usernames,” PT told Threatpost.
This story was updated on Oct. 15 to include a statement from SonicWall and additional information from Positive Technologies.