THREAT UPDATE
On June 23, security researchers reported that SonicWall’s stack-based Buffer Overflow vulnerability from late last year was only partially patched, yielding another attack vector for unpatched systems. A threat actor can send malicious requests to the firewall to execute code remotely and gain a foothold into an unpatched environment through partial memory leaks. rocketwise recommends patching all affected SonicWall VPN appliances as soon as possible.
TECHNICAL DETAIL & ADDITIONAL INFORMATION
WHAT IS THE THREAT?
SonicWall VPN appliances had a critical vulnerability (CVE-2020-5135) in October of last year that delineated a stack-based Buffer Overflow. On June 23, a new critical vulnerability was identified that is tangent to the October vulnerability as researchers realized that the vulnerability from last year was only partially patched. Identified as CVE-2021-20019, Sonic’s team reported that “SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall.”
WHY IS IT NOTEWORTHY?
All critical vulnerabilities that allow a threat actor to execute arbitrary code should be taken very seriously. Left unpatched, a threat actor could gain an initial foothold on your environment that could lead to lateral movement, persistence, and privilege escalation. The vulnerability resides in the web service used for VPN systems and product management. The exploits Proof-of-Concept details an unauthenticated HTTP request with custom protocols.
WHAT IS THE EXPOSURE OR RISK?
As reported by SonicWall in their advisory, this exploit “affects SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.” Left unpatched, an attacker can send these malicious HTTP/HTTPS custom protocol requests to your firewall environment to gain access to your systems.
WHAT ARE THE RECOMMENDATIONS?
rocketwise recommends to patch any vulnerable SonicWall platforms as soon as possible. Please view the following tables for the patch releases for specific SonicOS platforms:
| Platforms: NSa, TZ, NSsp (GEN7) | |
| SonicOS Running Version | SonicOS Patch Release (Update to version or later) |
| NSa,TZ- 7.0.0-713 and older | 7.0.0-R906 and later, 7.0.1-R1456 |
| NSsp – below < 7.0.0.376 | 7.0.0.376 and later, 7.0.1-R579 |
| Platforms: NSv (Virtual: GEN7) | |
| SonicOS Running Version | SonicOS Patch Release (Update to version or later) |
| NSsp- 7.0.1-R1036 and older | 7.0.1-R1282/1283 |
| Platforms: NSa, TZ, SOHO W, SuperMassive 92xx/94xx/96xx (GEN6+) | |
| SonicOS Running Version | SonicOS Patch Release (Update to version or later) |
| 6.5.4.8-83n and older | 6.5.4.8-89n |
| Platforms: NSsp 12K, SuperMassive 9800 | |
| SonicOS Running Version | SonicOS Patch Release (Update to version or later) |
| 6.5.1.12-3n and older | Pending Release |
| Platforms: SuperMassive 10k | |
| SonicOS Running Version | SonicOS Patch Release (Update to version or later) |
| 6.0.5.3-94o and older | Pending Release |
| Platforms: NSv (Virtual: VMWare/Hyper-V/AWS/Azure/KVM) | |
| SonicOS Running Version | SonicOS Patch Release (Update to version or later) |
| SonicOSv – 6.5.4.4-44v-21-955 and older | 6.5.4.4-44v-21-1288 |
REFERENCES
For more in-depth information about the recommendations, please visit the following links:
- https://securityaffairs.co/wordpress/119269/security/sonicwall-vpn-unpatched-flaw.html
- https://securityaffairs.co/wordpress/109560/hacking/sonicwall-cve-2020-5135-flaw.html
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0006
If you have any questions, please contact us.
