Quantcast
Channel: Tenable Blog
Viewing all articles
Browse latest Browse all 1935

CVE-2020-5135: Critical SonicWall VPN Portal Stack-based Buffer Overflow Vulnerability

$
0
0

Researchers disclose a critical pre-authentication vulnerability in the SonicWall VPN Portal that is easily exploitable.

Background

On October 12, SonicWall published a security advisory (SNWLID-2020-0010) to address a critical vulnerability in SonicOS that could lead to remote code execution (RCE). The vulnerability was discovered by security researchers at Tripwire’s Vulnerability and Exposure Research Team (VERT).

Analysis

CVE-2020-5135 is a stack-based buffer overflow vulnerability in the VPN Portal of SonicWall’s Network Security Appliance. A remote, unauthenticated attacker could exploit the vulnerability by sending a specially crafted HTTP request with a custom protocol handler to a vulnerable device. At a minimum, successful exploitation would result in a denial of service condition against the exploited device, exhausting its resources.

Remote code execution “likely feasible” but not without additional footwork

The researchers added that they were able to “divert execution flow through stack corruption” which means achieving RCE is “likely feasible.” In an interview with Threatpost, Craig Young of VERT noted that to gain RCE, an attacker would also need “an information leak and a bit of analysis.”

Hundreds of thousands of devices may be impacted

According to VERT, nearly 800,000 hosts may be affected. This is based on a Shodan search for the HTTP server banner, which was not provided.

Our own Shodan search for vulnerable SonicWall devices led us to two specific search queries:

The combined results from Shodan using these search queries led to a total of 795,674 hosts. In the VERT advisory, they specified that 795,357 hosts were vulnerable.

Example output from two Shodan search results for SonicWall firewall and VPNs

The Tenable Security Response Team was not able to independently confirm the hosts found on Shodan were indeed affected by this particular vulnerability. The hosts discovered with our Shodan queries are indicative that they are internet facing SonicWall servers, their respective versions could not be determined and thus it is unclear if they are vulnerable.

SSL VPN vulnerabilities: the gift that keeps on giving

Over the last year, cybercriminals and threat actors have been steadily leveraging vulnerabilities in a variety of SSL VPN solutions. As VPNs are found at the edge of a network and in most cases, publicly accessible, they are an enticing target for attackers. Exploitation of these devices can allow an attacker to pivot to an internal network and begin targeting additional hosts. Some notable vulnerabilities in VPN devices over the past year include:

CVEVendor/ProductCVSSv3Tenable VPR*
CVE-2018-13379Fortinet FortiOS SSL VPN9.89.8
CVE-2019-11510Pulse Connect Secure SSL VPN10.010.0
CVE-2019-19781Citrix NetScaler ADC9.89.9
CVE-2019-1579Palo Alto Networks Global Protect SSL VPN9.89.7

*Please note Tenable VPR scores are calculated nightly. This blog post was published on October 15 and reflects VPR at that time.

In the Cybersecurity Infrastructure Security Agency (CISA) alert (AA20-133A) entitled “Top 10 Routinely Exploited Vulnerabilities,” both CVE-2019-11510 and CVE-2019-1978 are featured as two of the most routinely exploited vulnerabilities in 2020.

In subsequent alerts from CISA, they’ve observed foreign threat actors utilizing several SSL VPN vulnerabilities as part of their attacks. On October 9, CISA issued a joint cybersecurity advisory with the Federal Bureau of Investigation regarding advanced persistent threat (APT) group activity, which highlighted the usage of CVE-2018-13379, CVE-2019-11510, CVE-2019-19781 as part of APT toolkits to gain initial access into their targeted environments.

With CVE-2020-5135, attackers potentially have another SSL VPN vulnerability in their respective toolboxes to target vulnerable systems.

SonicWall patched 10 additional vulnerabilities

In total, SonicWall patched 11 vulnerabilities on October 12. The following table lists the remaining 10 vulnerabilities that were patched:

CVEAdvisory IDTypeCVSSv3
CVE-2020-5133SNWLID-2020-0008Unauthenticated Buffer Overflow8.2
CVE-2020-5134SNWLID-2020-0009Out-of-Bound Invalid File Reference6.5
CVE-2020-5136SNWLID-2020-0011Authenticated Buffer Overflow6.5
CVE-2020-5137SNWLID-2020-0012Unauthenticated Buffer Overflow7.5
CVE-2020-5138SNWLID-2020-0013Unauthenticated Heap Overflow7.5
CVE-2020-5139SNWLID-2020-0014Unauthenticated Release of Invalid Pointer7.5
CVE-2020-5140SNWLID-2020-0015Unauthenticated Malicious HTTP Request7.5
CVE-2020-5141SNWLID-2020-0016Unauthenticated Brute Force6.5
CVE-2020-5142SNWLID-2020-0017Stored Cross-Site Scripting (XSS)6.5
CVE-2020-5143SNWLID-2020-0018Administrator Username Enumeration5.3

All of these vulnerabilities were discovered by security researcher Nikita Abramov of Positive Technologies Offensive Team. Abramov is credited with discovering CVE-2020-5135 along with Craig Young of VERT.

Proof of concept

At the time this blog post was published, no PoC code was available for any of the vulnerabilities, including CVE-2020-5135.

Solution

SonicWall published patches for all 11 vulnerabilities. The following table lists the affected versions along with their associated fixed version. Organizations are strongly encouraged to upgrade to a fixed version as soon as possible.

Affected VersionsFixed Versions
SonicOS 6.5.4.7-79n and belowSonicOS 6.5.4.7-83n
SonicOS 6.5.1.11 and belowSonicOS 6.5.1.12-1n
SonicOS 6.0.5.3-93o and belowSonicOS 6.0.5.3-94o
SonicOSv 6.5.4.4-44v-21-794 and belowSonicOS 6.5.4.v-21s-987
SonicOS 7.0.0.0-1SonicOS 7.0.0.0-2 and above

If upgrading is not feasible at this time, a temporary workaround, while inconvenient, would be to ensure the SonicWall SSL VPN portal has been disabled.

Identifying affected systems

A list of Tenable plugins to identify CVE-2020-5135 will appear here as they’re released.

Get more information

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.

Get a free 30-day trial of Tenable.io Vulnerability Management.


Viewing all articles
Browse latest Browse all 1935

Trending Articles