Vulnerability Description

Tripwire VERT has identified a stack-based buffer overflow in SonicWall Network Security Appliance (NSA). The flaw can be triggered by an unauthenticated HTTP request involving a custom protocol handler. The vulnerability exists within the HTTP/HTTPS service used for product management as well as SSL VPN remote access.

Exposure and Impact

An unskilled attacker can use this flaw to cause a persistent denial of service condition. Tripwire VERT has also confirmed the ability to divert execution flow through stack corruption indicating that a code execution exploit is likely feasible. This flaw exists pre-authentication and within a component (SSLVPN) which is typically exposed to the public Internet. As of the date of discovery, a Shodan search for the affected HTTP server banner indicated 795,357 hosts.

SonicWall has indicated that the following versions are vulnerable:

  • SonicOS 6.5.4.7-79n and earlier
  • SonicOS 6.5.1.11-4n and earlier
  • SonicOS 6.0.5.3-93o and earlier
  • SonicOSv 6.5.4.4-44v-21-794 and earlier
  • SonicOS 7.0.0.0-1

Remediation & Mitigation

SonicWall has released updates to remediate this flaw. SSL VPN portals may be disconnected from the Internet as a temporary mitigation before the patch is applied.

SonicWall has indicated that the following versions include a fix for this issue:

  • SonicOS 6.5.4.7-83n
  • SonicOS 6.5.1.12-1n
  • SonicOS 6.0.5.3-94o
  • SonicOS 6.5.4.v-21s-987
  • Gen 7 7.0.0.0-2 and onwards

Detection

Tripwire IP360 starting with ASPL-909 contains remote heuristic detection of the vulnerable service.

More information about detecting possible attacks will be shared as needed after more system owners have had an opportunity to patch.

References

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0010