Recently, SonicWall issued a security advisory to fix a crucial vulnerability CVE-2020-5135 in SonicOS that could lead to remote code execution. Security researchers at Tripwire’s VERT discovered this vulnerability. SonicWALL firewalls are a core component of network security in the small and medium-sized enterprise industry. SonicWALL’s proprietary operating system SonicOS drives its firewall computers. This means that the mechanisms and procedures need to configure their security settings are identical for all of them.
CVE-2020-5135 is a stack-based buffer overflow flaw in the SonicWall Network Security Appliance VPN Portal. An unauthorized attacker may exploit this sonicwall vulnerability by sending a specially designed HTTP request with a custom protocol handler to a vulnerable system. At the very least, successful exploitation will result in the denial of service to the exploited system, wasting its resources.
About CVE-2020-5135
SonicWall is a next-generation firewall appliance with a sandbox, an intrusion prevention framework, an SSL / TLS decryption device. In addition, inspection capabilities, network-based malware security, and VPN functionality. CVE-2020-5135 was discovered by Nikita Abramov of Optimistic Technologies and Craig Young of the Tripwire Vulnerability and Exposures Research Team (VERT). They have been reported to affect:
- SonicOS 6.5.4.7-79n and earlier
- SonicOS 6.5.1.11-4n and earlier
- SonicOSv 6.5.4.4-44v-21-794 and earlier
- SonicOS 6.0.5.3-93o and earlier
- SonicOS 7.0.0.0-1
The bug is causing by an unauthorized HTTP request involving a custom protocol handler. This Sonicwall vulnerability occurs inside the HTTP / HTTPS service used for product management as well as SSL VPN remote access. This vulnerability occurs within the pre-authentication portion (SSLVPN) that is usually been exposing to the public Internet.
By using Shodan, Tripwire and Tenable researchers have discovered nearly 800,000 SonicWall NSA computers. The affected HTTP server banner exposed to the internet was identified. The exact number of compromising devices can not be able to determine since their respective models could not be determined. Persistent DoS status is obviously simple for attackers to achieve, as no prior authentication is necessary. And it can become active by submitting a specially designed request to the insecure VPN service / SSL portal.
Mitigation and remediation
There is currently no proof that the bug is being deliberately been exploiting or that there is a public code for the manipulation of the PoC. So administrators have a window of opportunity to patch the affected machines.
Apart from enforcing the provided update, they can also detach the SSL VPN portal from the internet. Although this action does not mitigate the possibility of exploitation of any of the other vulnerabilities found by the latest updates. The introduction of security updates is the preferred step. Since bug in SSL VPN solutions are mostly aiming at cyber attackers and threat actors.
Solution
SonicWall researchers performed thorough testing and code tests to validate the third-party analysis. This research contributed to the discovery of additional specific vulnerabilities in virtual and hardware appliances.
Popular Vulnerabilities and Exposures Required (CVE) listings based on the Common Vulnerability Scoring System (CVSS). The PSIRT team focused on duplicating issues and designing, testing, and launching patches for the affected products.
SonicWall has released fixes for all 11 vulnerabilities. Organizations are strongly been encouraging to update as soon as possible to a fixed version.
In Conclusion
VPN Bugs are quite dangerous. CVE-2020-5142 helps intruder to inject an unauthorized JavaScript codes into the SSL VPN firewall portal. And, a variety of vulnerabilities open the door to DoS attacks and can even be exploited by an unauthorized intruder.
The SonicWall update actually fixes 11 bugs found by Positive Technologies experts. Including one vulnerability found independently and in parallel by another organization (CVE-2020-5135). CVE-2020-5143, which encourages offenders to try existing logins in the scheme, after which they can be brutally coerced.