Attacker Value
High
(1 user assessed)
Exploitability
Unknown
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
3

CVE-2020-5135

Disclosure Date: October 12, 2020
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. This vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.

Add Assessment

2
Ratings
Technical Analysis

There’s high attacker value here if an attacker A) wants to cause a little mayhem, and/or B) can actually turn the DoS into reliable RCE. The first option is probably the likelier outcome in the immediate future. If Positive Technologies or Tripwire releases a PoC, the likelihood of broad exploitation probably rises significantly. For now, “patch fast but don’t panic” is good advice, as it always is with VPNs. There’s full analysis for this bug in the Rapid7 Analysis tab here.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • sonicwall

Products

  • sonicos,
  • sonicos 7.0.0.0,
  • sonicosv

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis

Description

On Monday, October 12, 2020, SonicWall published a security advisory for CVE-2020-5135, a buffer overflow vulnerability in SonicWall SonicOS. The bug allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. CVE-2020-5135 carries a CVSSv3 base score of 9.4.

Craig Young, one of the researchers who discovered and disclosed the vulnerability to SonicWall, published a blog post on Tripwire’s website explaining the vulnerability in more detail. According to Young, the vulnerability exists pre-authentication and within a component (SSLVPN) that is typically exposed to the public Internet. Additionally, Young reports that Tripwire researchers were able to divert program execution flow, indicating that remote code execution (RCE) is possible.

There is no proof-of-concept (PoC) available, nor are there any reports of exploitation in the wild as of October 15, 2020.

Affected products

  • SonicOS 6.5.4.7-79n and earlier
  • SonicOS 6.5.1.11-4n and earlier
  • SonicOS 6.0.5.3-93o and earlier
  • SonicOSv 6.5.4.4-44v-21-794 and earlier
  • SonicOS 7.0.0.0-1

Rapid7 analysis

Using binwalk’s entropy analysis (-E) feature, we can surmise that the SonicOS firmware is obfuscated, encrypted, or compressed in an unknown format, with few plaintext artifacts that can be identified. The output of binwalk -E can be seen below.

DECIMAL       HEXADECIMAL     ENTROPY
--------------------------------------------------------------------------------
0             0x0             Rising entropy edge (0.985600)

The high entropy throughout the firmware file suggests that SonicWall has taken measures to prevent casual analysis of their firmware. Despite this, an unauthenticated RCE vulnerability in usually internet-facing VPN software is a high-value target for attackers and thus immediate cause for concern. Tripwire’s research suggests that there are nearly 800,000 affected SonicOS devices on the internet; at least one sample Shodan dork to identify internet-exposed instances of SonicWall has been shared on Twitter.

CVE-2020-5135 has broad, easily available attack surface area that presents an attractive target for both sophisticated and commodity attackers. Rapid7 researchers classify this vulnerability as an impending threat, though weaponization of the DoS action is probably likelier in the short-term than reliable, weaponized remote code execution. That may change as further community power is directed at technical analysis and exploit development.

Guidance

Though no PoC for the vulnerability is currently available, Rapid7 researchers highly recommend updating SonicOS to one of the following versions:

  • SonicOS 6.5.4.7-83n
  • SonicOS 6.5.1.12-1n
  • SonicOS 6.0.5.3-94o
  • SonicOS 6.5.4.v-21s-987
  • Gen 7 7.0.0.0-2 and onwards

References