Vulnerability DescriptionTripwire VERT has identified a stack-based buffer overflow in SonicWall Network Security Appliance (NSA). The flaw can be triggered by an unauthenticated HTTP request involving a custom protocol handler. The vulnerability exists within the HTTP/HTTPS service used for product management as well as SSL VPN remote access.
Exposure and ImpactAn unskilled attacker can use this flaw to cause a persistent denial of service condition. Tripwire VERT has also confirmed the ability to divert execution flow through stack corruption indicating that a code execution exploit is likely feasible. This flaw exists pre-authentication and within a component (SSLVPN) which is typically exposed to the public Internet. As of the date of discovery, a Shodan search for the affected HTTP server banner indicated 795,357 hosts. SonicWall has indicated that the following versions are vulnerable:
- SonicOS 22.214.171.124-79n and earlier
- SonicOS 126.96.36.199-4n and earlier
- SonicOS 188.8.131.52-93o and earlier
- SonicOSv 184.108.40.206-44v-21-794 and earlier
- SonicOS 220.127.116.11-1
Remediation & MitigationSonicWall has released updates to remediate this flaw. SSL VPN portals may be disconnected from the Internet as a temporary mitigation before the patch is applied. SonicWall has indicated that the following versions include a fix for this issue:
- SonicOS 18.104.22.168-83n
- SonicOS 22.214.171.124-1n
- SonicOS 126.96.36.199-94o
- SonicOS 6.5.4.v-21s-987
- Gen 7 188.8.131.52-2 and onwards
DetectionTripwire IP360 starting with ASPL-909 contains remote heuristic detection of the vulnerable service. More information about detecting possible attacks will be shared as needed after more system owners have had an opportunity to patch.
Editor's Note 1:45 p.m. PT, October 16, 2020: A representative from SonicWall has provided the following comment:
“SonicWall maintains the highest standards to ensure the integrity of its products, solutions, services, technology and any related IP. As such, the company takes every disclosure or discovery seriously. “SonicWall was contacted by a third-party research team regarding issues related to SonicWall next-generation virtual firewall models (6.5.4v) that could potentially result in Denial-of-Service (DoS) attacks and/or cross-site scripting (XSS) vulnerabilities.“ Immediately upon discovery, SonicWall researchers conducted extensive testing and code review to confirm the third-party research. This analysis lead to the discovery of additional unique vulnerabilities to virtual and hardware appliances requiring Common Vulnerabilities and Exposures (CVE) listings based on the Common Vulnerability Scoring System (CVSS). The PSIRT team worked to duplicate the issues and develop, test and release patches for the affected products. At this time, SonicWall is not aware of a vulnerability that has been exploited or that any customer has been impacted.”