Sonicwall has released patches to fix a denial of service and remote code execution vulnerability in their Network Application Security appliances (virtual firewalls). The vulnerability exists in the code which handles SSL VPN access – meaning it is usually exposed to the public internet.
The vulnerability was discovered by researchers at Tripwire who describe the severity of the issue:
An unskilled attacker can use this flaw to cause a persistent denial of service condition. Tripwire VERT has also confirmed the ability to divert execution flow through stack corruption indicating that a code execution exploit is likely feasible. This flaw exists pre-authentication and within a component (SSLVPN) which is typically exposed to the public Internet. As of the date of discovery, a Shodan search for the affected HTTP server banner indicated 795,357 hosts.
A security advisory from Sonicwall (CVE-2020-5135) explains the vulnerability is a buffer overflow that can be exploited to cause a denial of service attack and potential run arbitrary code on the device. The vulnerability affects version 6 of the Sonic OS (18.104.22.168, 22.214.171.124, 126.96.36.199 and SonicOSv 6.5.4.v) – version 7 was not affected.
With a CVSS score of 9.4, this critical vulnerability deserves prompt attention.
With the rise of Network Access Sellers, this class of vulnerability is more likely to be the target of professional ransomware gangs who will purchase access to vulnerable networks.