The SonicWall Bug Was Only Partially Fixed
The CVE-2020-5135 Vulnerability Was Believed to Be Patched, but It Seems that the Vulnerability Was Not Properly Patched Until Now.
Last year, in October a critical stack-based Buffer Overflow vulnerability, tracked as CVE-2020-5135, was discovered. The SonicWall vulnerability in question had been affecting over 800,000 SonicWall VPNs, and it was believed until recently that the vulnerability was patched.
The CVE-2020-5135 vulnerability allows unauthenticated remote attackers to execute arbitrary code on the impacted devices, or even be able to cause Denial of Service (DoS).
Unfortunately, it looks like the vulnerability has not been properly patched until now, and a new vulnerability identifier, CVE-2021-20019 has been assigned to the flaw.
SonicWall bug only partially fixed
The vulnerability was tracked as CVE-2020-5135 and it appeared to be present in versions of SonicOS, ran by over 800,000 active SonicWall devices.
It looks like the critical buffer overflow vulnerability allows attackers to send a malicious HTTP request to their firewall and cause a Denial of Service (DoS) or execute arbitrary code.
In the beginning, the researchers Craig Young from the Tripwire Vulnerability and Exposure Research Team and Nikita Abramov of Positive Technologies were credited for discovering and reporting the SonicWall vulnerability and after a long email exchange that took place between Craig Young and SonicWall, the vulnerability got eventually treated as a problem and therefore patched.
Unfortunately when the researcher retested his proof-of-concept (PoC) exploit against SonicWall instances concluded that the fix was “botched.”
I decided to spin up a SonicWall instance on Azure to confirm how it responded to my proof-of-concept exploit.
In the past, when researching network appliances, I have observed differences in vulnerable behavior between virtual and physical systems.
In some past research, I have observed differences in vulnerable behavior related to hardware-based acceleration utilizing a separate code path.
The researcher was surprised to notice, that in this case, his PoC exploit didn’t trigger a system crash—but a flood of binary data in the HTTP response instead, and reached out to SonicWall again for a remedy as the binary data returned in the HTTP responses could have been memory addresses.
The researcher reported the situation to SonicWall on October 6th, 2020, and proceeded to send a few more follow-ups, until he received a statement from SonicWall’s PSIRT:
This [vulnerability has] been assigned CVE-2021-20019 and a patch would be released in [early 2021.]
The journalists from BleepingComputer also reached out to SonicWall for a comment:
SonicWall is active in collaborating with third-party researchers, security vendors and forensic analysis firms to ensure its products meet or exceed expected security standards.
Through the course of this practice, SonicWall was made aware of, verified, tested and patched a non-critical buffer overflow vulnerability that impacted versions of SonicOS.
SonicWall is not aware of this vulnerability being exploited in the wild. As always, SonicWall strongly encourages organizations to maintain patch diligence for all security products.
As of now, SonicWall has released advisories related to this vulnerability today, but even if most versions have already a patch available, platforms like NSsp 12K, SuperMassive 10k, and SuperMassive 9800 are awaiting a patch release, SonicWall advising its customers to monitor the advisory pages for updates.