Dangerous vulnerability in SonicWall products was not fully fixed

Dangerous vulnerability in SonicWall
Written by Emma Davis

In the fall of 2020, Tripwire experts spoke about the dangerous vulnerability CVE-2020-5135 found in SonicOS, which runs the SonicWall Network Security Appliance (NSA) devices.

Typically, such equipment is used as firewalls and SSL VPN portals to filter and control access to private networks.

It was emphasized that the exploitation of the bug does not require high qualifications from the attacker, and it can hardly be called difficult. At the same time, CVE-2020-5135 received a critical status and scored 9.4 points out of 10 possible on the CVSS vulnerability assessment scale. The researchers expected that once the PoC exploit appeared, the problem would be actively exploited by attackers who would not even need credentials for attacks.

Exploiting the problem could lead to both denial of service (DoS) and arbitrary code execution. And the researchers found that 795,357 publicly available SonicWall VPNs were vulnerable to the problem.

As it turned out now, in the fall of 2020, the problem was not completely fixed, and now the bug was assigned a new identifier – CVE-2021-20019.

Tripwire specialist Craig Young said that he tested his PoC exploit on patched SonicWall products and concluded that the fix was “unsuccessful.” It turned out that now the PoC exploit provokes not a denial of service, but a binary flood in the HTTP response.

Young believes that the binary data returned in HTTP responses could be memory addresses.

Although I’ve never seen an OCR memory leak, I think the result may vary depending on how the target system is used. I also suspect that the values in these results may, in fact, be memory addresses, which might be useful to exploit the error similar to RCE.says the researcher.

After reporting the issue to SonicWall on October 6, 2020, the researcher sent several more messages to the developers, including twice in March this year. SonicWall has issued new security bulletins (1,2) related to this vulnerability and prepared patches. Although patches are already available for most products, the NSsp 12K, SuperMassive 10k and SuperMassive 9800 platforms are still awaiting a patch release.

Let me remind you that we also talked about attacks on 0-day vulnerability in SonicWall products.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply

Sending