High
CVE-2020-5135
CVE-2020-5135
Description
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. This vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.
Add Assessment
Technical Analysis
There’s high attacker value here if an attacker A) wants to cause a little mayhem, and/or B) can actually turn the DoS into reliable RCE. The first option is probably the likelier outcome in the immediate future. If Positive Technologies or Tripwire releases a PoC, the likelihood of broad exploitation probably rises significantly. For now, “patch fast but don’t panic” is good advice, as it always is with VPNs. There’s full analysis for this bug in the Rapid7 Analysis tab here.
CVSS V3 Severity and Metrics
General Information
Vendors
- sonicwall
Products
- sonicos,
- sonicos 7.0.0.0,
- sonicosv
Exploited in the Wild
Technical Analysis
Description
On Monday, October 12, 2020, SonicWall published a security advisory for CVE-2020-5135, a buffer overflow vulnerability in SonicWall SonicOS. The bug allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. CVE-2020-5135 carries a CVSSv3 base score of 9.4.
Craig Young, one of the researchers who discovered and disclosed the vulnerability to SonicWall, published a blog post on Tripwire’s website explaining the vulnerability in more detail. According to Young, the vulnerability exists pre-authentication and within a component (SSLVPN) that is typically exposed to the public Internet. Additionally, Young reports that Tripwire researchers were able to divert program execution flow, indicating that remote code execution (RCE) is possible.
There is no proof-of-concept (PoC) available, nor are there any reports of exploitation in the wild as of October 15, 2020.
Affected products
- SonicOS 6.5.4.7-79n and earlier
- SonicOS 6.5.1.11-4n and earlier
- SonicOS 6.0.5.3-93o and earlier
- SonicOSv 6.5.4.4-44v-21-794 and earlier
- SonicOS 7.0.0.0-1
Rapid7 analysis
Using binwalk’s entropy analysis (-E) feature, we can surmise that the SonicOS firmware is obfuscated, encrypted, or compressed in an unknown format, with few plaintext artifacts that can be identified. The output of binwalk -E can be seen below.
DECIMAL HEXADECIMAL ENTROPY -------------------------------------------------------------------------------- 0 0x0 Rising entropy edge (0.985600)
The high entropy throughout the firmware file suggests that SonicWall has taken measures to prevent casual analysis of their firmware. Despite this, an unauthenticated RCE vulnerability in usually internet-facing VPN software is a high-value target for attackers and thus immediate cause for concern. Tripwire’s research suggests that there are nearly 800,000 affected SonicOS devices on the internet; at least one sample Shodan dork to identify internet-exposed instances of SonicWall has been shared on Twitter.
CVE-2020-5135 has broad, easily available attack surface area that presents an attractive target for both sophisticated and commodity attackers. Rapid7 researchers classify this vulnerability as an impending threat, though weaponization of the DoS action is probably likelier in the short-term than reliable, weaponized remote code execution. That may change as further community power is directed at technical analysis and exploit development.
Guidance
Though no PoC for the vulnerability is currently available, Rapid7 researchers highly recommend updating SonicOS to one of the following versions:
- SonicOS 6.5.4.7-83n
- SonicOS 6.5.1.12-1n
- SonicOS 6.0.5.3-94o
- SonicOS 6.5.4.v-21s-987
- Gen 7 7.0.0.0-2 and onwards
