An October patch for a critical remote code execution (RCE) bug in a SonicWall VPN appliance turned out to be insufficient. While the patch closed the RCE attack vector, more than 800,000 devices were still vulnerable to an additional memory-leak flaw for months, according to researchers.
SonicWall originally patched the stack-based buffer overflow vulnerability in the SonicWall Network Security Appliance (NSA), tracked as CVE-2020-5135, back in October.
However, Craig Young, a computer security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT), said the initial patch for the vulnerability was “botched,” needing a “one- or two-line fix” to be complete, he wrote in a report published Tuesday, which details the specifics of where the fix went wrong.
The vulnerability (CVE-2021-20019), not addressed by the initial October patch, is described in a security bulletin published Tuesday as, “A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted unauthenticated HTTP request. This can potentially lead to an internal sensitive data disclosure vulnerability.”
In a statement from SonicWall sent to Threatpost it stated:
“SonicWall is active in collaborating with third-party researchers, security vendors and forensic analysis firms to ensure its products meet or exceed expected security standards. Through the course of this practice, SonicWall was made aware of, verified, tested and patched a non-critical buffer overflow vulnerability that impacted versions of SonicOS. SonicWall is not aware of this vulnerability being exploited in the wild. As always, SonicWall strongly encourages organizations maintain patch diligence for all security products.”
The initial bug, with a CVSS severity rating of 9.4. The vulnerability highlighted by Tripwire has a medium CVSS severity rating of 5.3.
Though SonicWall was aware of the problem soon after the fix was released, it only released a complete patch this week, Young wrote.
“I had expected that a patch would probably come out quickly but, fast-forward to March and I still had not heard back,” he wrote. “I reconnected with their PSIRT [Product Security Incident Response Team] on March 1, 2021, for an update, but ultimately it took until well into June before an advisory could be released.”
Where It Went Wrong
Young and Nikita Abramov, application analysis specialist at Positive Technologies (PT), were credited back in October with finding the flaw, which exists within the HTTP/HTTPS service used for product management and SSL VPN remote access.
The vulnerability could allow an unskilled attacker to trigger a persistent denial-of-service (DoS) condition using an unauthenticated HTTP request involving a custom protocol handler, as well as spread further damage, Young wrote in his analysis at the time.
Abramov and Young both reported the bug to SonicWall around the same time in late September, and the company gave Young a date of Oct. 5 for a patch to resolve the problem. That date later was pushed up to Oct. 14, he said, which is when SonicWall also acknowledged to Threatpost that it had indeed issued a patch for the flaw.
However, after the patch was released, Young tested a SonicWall VPN on Microsoft Azure to confirm how it responded to a proof-of-concept exploit he’d devised for the flaw and found that it was still vulnerable. However, though it did not crash the system, the exploit payload did trigger a flood of binary data in response, he wrote, providing a screenshot of the result in his analysis.
“As you can see from the screenshot, there are values in the binary data which certainly look like they could be memory addresses,” Young wrote. “Although I never observed recognizable text in the leaked memory, I believe this output could vary based on how the target system is used. I also suspect that the values in my output are in fact memory addresses which could be a useful information leak for exploiting an RCE bug.”
Young’s final assessment of his test was that the fix was incomplete, he said. “The unbounded string copy was replaced with an appropriate memory safe function, but the return value was not properly considered,” he wrote.
Delayed Security Advisory
Young reported his findings to SonicWall PSIRT on Oct. 6 and followed up several times before receiving a response on Oct. 9 that “confirmed my expectation that this was the result of an improper fix for CVE-2020-5135, and told me that the patched firmware versions had already started to become available on mysonicwall.com as well as via Azure,” he wrote.
Six days later, Young said he received a response from the company that he would be informed when the memory-dump issue he identified was resolved and ready for release. He followed up again in March when he still had not heard back, he said.
Ultimately, it would take until this Wednesday, June 22, before SonicWall would publicly post the advisory for the updated patch to the vulnerability, Young wrote.
The security advisory also patches a number of other bugs in SonicWall platforms, a complete list of which is available in both the company’s post and Young’s analysis.
(This article was updated on 6/23 at 12:30 p.m. ET to reflect additional reporting on a portion of a vulnerability not addressed by SonicWall’s October patch. A clarification was also made to more clearly indicate that SonicWall’s initial patch did mitigate the RCE bug. The article also includes a statement from SonicWall.)
Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free!