Back in September 2020, I configured a SonicWall network security appliance to act as a VPN gateway between physical devices in my home lab and cloud resources on my Azure account. As I usually do with new devices on my network, I did some cursory security analysis of the product and it didn’t take long before I had identified what looked like a buffer overflow in response to an unauthenticated HTTP request. I quickly reported the issue to SonicWall’s PSIRT on September 18 and received a same day response that my report was a duplicate of another report they had received. When the advisory was ultimately published, I learned that the other report was one out of 11 from Nikita Abramov with Positive Technologies. In this post, I will discuss some aspects of the vulnerabilities I found, my interactions with SonicWall PSIRT, and some general thoughts about vulnerability handling and disclosure.

Reviewing CVE-2020-5135 Vulnerability

I continued to research the issue I’d found and confirmed that it was in fact a stack-based buffer overflow and that the issue could likely be exploited to run code on the vulnerable SonicWall products. My analysis of the flaw indicated that an unbounded string copy was being used to copy data from an HTTP request header directly into a response buffer and without an appropriate length check. On September 22, I wrote again to SonicWall PSIRT to ask for confirmation regarding the CVSS scoring of the issue and for an estimate of when the patch would be released. After a week without a response, I sent a follow-up email and the team responded quickly this time to offer October 5 as a patch ETA but indicated that they did not have a CVSS score calculated.

When October 5 came, there was no vulnerability advisory being (Read more...)