SonicWall firewall VPN vulnerability (CVE-2020-5135): Overview and technical walkthrough
A critical stack-based buffer overflow vulnerability was discovered in SonicWall Network Security Appliance (NSA) VPN. In this article, we will address the problem explored by this flaw, its impact worldwide and mitigation measures to fix the problem and avoid cyber-incidents using this specific vector as an entry point on the internal infrastructure.
Learn Vulnerability Management
CVE-2020-5135: Overview
The flaw can be triggered by an unauthenticated HTTP request involving a custom protocol handler. The vulnerability leverages the HTTP/HTTPS service used for product management as well as SSL VPN remote access. This service can be exploited to cause a denial-of-service condition and possibly remote code execution.
Nikita Abramov of Positive Technologies and Craig Young of Tripwire’s Vulnerability and Exposures Research Team (VERT) discovered CVE-2020-5135. This flaw affects the following versions of SonicOS:
SonicOS 6.5.1.11-4n and earlier
SonicOS 6.0.5.3-93o and earlier
SonicOSv 6.5.4.4-44v-21-794 and earlier
SonicOS 7.0.0.0-1According to the researchers, the vulnerability resides in a pre-authentication and in a component SSLVPN, which is often exposed to the public internet. This opens the doors to possible attacks in the wild.
Impacted devices by number
The number of exposed devices on the internet is huge, and nearly 800,000 hosts may be vulnerable. This number is based on a Shodan search for the HTTP banner of the SonicWall firewall.
The Tenable team doesn’t confirm that the hosts found on Shodan were affected by this particular vulnerability.
“The hosts discovered with our Shodan queries are indicative that they are internet facing SonicWall servers, their respective versions could not be determined and thus it is unclear if they are vulnerable.”
With this set of information in place, criminals could abuse a DoS condition — which is easy to obtain, as the attack only requires a successful connection with the affected device. The malicious payload can be used to trigger the flaw on the SSL VPN portal.
Looking at the last year, we can find a set of vulnerabilities present and explored by criminals in SSL VPN solutions. As these kinds of devices are the edge of the internal network with the public internet, they are an enticing target for criminals. As VPNs take an increasingly important role amidst the rise in working remotely, exploitation of these devices can allow criminals to pivot to an internal network and begin targeting the entire ecosystem.
As observed below, some notable vulnerabilities were found in VPN devices from several vendors last few years, including:
Mitigation measures
With CVE-2020-5135 in place, attackers potentially have another SSL VPN vulnerability in scope to target vulnerable systems. In this way, patching the affected versions is mandatory in order to fix the problem.
In total, SonicWall patched 11 vulnerabilities on October 12th, 2020. The following table lists the remaining 10 vulnerabilities that were patched:
All of the vulnerabilities were discovered by security researcher Nikita Abramov of Positive Technologies Offensive Team. Abramov is credited with discovering CVE-2020-5135, along with Craig Young of VERT.
Learn Vulnerability Management
At the moment of writing this article, no public exploit or PoC was published online.
More details about this vulnerability can be found here:
Sources
SonicWall VPN Portal Critical Flaw (CVE-2020-5135), Tripwire
Vulnerability List, SonicWall
If you want to practice writing exploits and worms, there's a big hijacking hole in SonicWall firewall VPNs, The Register
CVE-2020-5135: Critical SonicWall VPN Portal Stack-based Buffer Overflow Vulnerability, Tenable
Learn Vulnerability Management
Build your vulnerability assessment and management skills with dozens of courses. What you'll learn- Vulnerability scanning
- Classifying and prioritizing
- Patching and mitigating
- Building a program
- And more
In this Series
- SonicWall firewall VPN vulnerability (CVE-2020-5135): Overview and technical walkthrough
- The most popular binary exploitation techniques
- Roadmap for performing an Active Directory assessment
- The importance of asset visibility in the detection and remediation of vulnerabilities
- Digium Phones Under Attack and how web shells can be really dangerous
- vSingle is abusing GitHub to communicate with the C2 server
- The most dangerous vulnerabilities exploited in 2022
- Follina — Microsoft Office code execution vulnerability
- Spring4Shell vulnerability details and mitigations
- How criminals are taking advantage of Log4shell vulnerability
- Microsoft Autodiscover protocol leaking credentials: How it works
- How to write a vulnerability report
- How to report a security vulnerability to an organization
- PrintNightmare CVE vulnerability walkthrough
- Top 30 most exploited software vulnerabilities being used today
- The real dangers of vulnerable IoT devices
- How criminals leverage a Firefox fake extension to target Gmail accounts
- How criminals have abused a Microsoft Exchange flaw in the wild
- How to discover open RDP ports with Shodan
- Time to patch: Vulnerabilities exploited in under five minutes?
- Whitespace obfuscation: PHP malware, web shells and steganography
- New Sudo flaw used to root on any standard Linux installation
- Turla Crutch backdoor: analysis and recommendations
- Volodya/BuggiCorp Windows exploit developer: What you need to know
- AWS APIs abuse: Watch out for these vulnerable APIs
- How to reserve a CVE: From vulnerability discovery to disclosure
- Top 25 vulnerabilities exploited by Chinese nation-state hackers (NSA advisory)
- Zerologon CVE-2020-1472: Technical overview and walkthrough
- Unpatched address bar spoofing vulnerability impacts major mobile browsers
- Software vulnerability patching best practices: Patch everything, even if vendors downplay risks
- What is a vulnerability disclosure policy (VDP)?
- Common vulnerability assessment types
- Common security threats discovered through vulnerability assessments
- Android vulnerability allows attackers to spoof any phone number
- Malicious Docker images: How to detect vulnerabilities and mitigate risk
- Apache Guacamole Remote Desktop Protocol (RDP) vulnerabilities: What you need to know
- Linux vulnerabilities: How unpatched servers lead to persistent backdoors
- Tesla Model 3 vulnerability: What you need to know about the web browser bug
- How to identify and prevent firmware vulnerabilities
- Will CVSS v3 change everything? Understanding the new glossary
- URGENT/11 vulnerability
- 32 hardware and firmware vulnerabilities
- The Zero Day Initiative
- CVE-2018-11776 RCE Flaw in Apache Struts Could Be Root Cause of Clamorous Hacks
- XML vulnerabilities are still attractive targets for attackers
- Broadpwn Wi-Fi Vulnerability: How to Detect & Mitigate
- Mobile Systems Vulnerabilities
- 10 Security Vulnerabilities That Broke the World Wide Web in 2016
- Most Exploited Vulnerabilities: by Whom, When, and How
- Exploiting CVE-2015-8562 (A New Joomla! RCE)
- Security vulnerabilities of voice recognition technologies
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Vulnerabilities
Vulnerabilities
