Critical SonicWall VPN Portal Bug Allows DoS, Worming RCE

A critical security bug in the SonicWall VPN portal can be used to crash the device and prevent users from connecting to corporate resources. It could also open the door to remote code execution (RCE), researchers said.

The flaw (CVE-2020-5135) is a stack-based buffer overflow in the SonicWall Network Security Appliance (NSA). According to the researchers at Tripwire who discovered it, the flaw exists within the HTTP/HTTPS service used for product management and SSL VPN remote access.

An unskilled attacker could trigger a persistent denial-of-service condition using an unauthenticated HTTP request involving a custom protocol handler, wrote Craig Young, a computer security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT), in a Tuesday analysis. But the damage could go further.

“VPN bugs are tremendously dangerous for a bunch of reasons,” he told Threatpost. “These systems expose entry points into sensitive networks and there is very little in the way of security introspection tools for system admins to recognize when a breach has occurred. Attackers can breach a VPN and then spend months mapping out a target network before deploying ransomware or making extortion demands.”

Adding insult to injury, this particular flaw exists in a pre-authentication routine, and within a component (SSL VPN) which is typically exposed to the public internet.

“The most notable aspect of this vulnerability is that the VPN portal can be exploited without knowing a username or password,” Young told Threatpost. “It is trivial to force a system to reboot…An attacker can simply send crafted requests to the SonicWALL HTTP(S) service and trigger memory corruption.”

However, he added that a code-execution attack does require a bit more work.

“Tripwire VERT has also confirmed the ability to divert execution flow through stack corruption, indicating that a code-execution exploit is likely feasible,” he wrote, adding in an interview that an attacker would need to also leverage an information leak and a bit of analysis to pull it off.

That said, “If someone takes the time to prepare RCE payloads, they could likely create a sizeable botnet through a worm,” he said.

There’s no sign of exploitation so far, Young said, but a Shodan search for the affected HTTP server banner indicated 795,357 vulnerable hosts as of Tuesday.

SonicWall has issued a patch; SSL VPN portals may be disconnected from the internet as a temporary mitigation before the patch is applied.

The following versions are vulnerable: SonicOS 6.5.4.7-79n and earlier; SonicOS 6.5.1.11-4n and earlier; SonicOS 6.0.5.3-93o and earlier; SonicOSv 6.5.4.4-44v-21-794 and earlier; and SonicOS 7.0.0.0-1.

“Organizations exposing VPN portals to the web should not consider these systems as impenetrable fortresses,” Young told Threatpost. “If the last 18 months has shown anything, it is that enterprise VPN firewalls can be just as insecure as a cheap home router. It is crucial to employ a tiered security model to recognize and respond to unauthorized activity.”