Nearly 800,000 SonicWall VPNs Need Critical Flaw Patching

Written by

Nearly 800,000 VPNs around the world need urgent patching after a vendor issued a security update for a critical flaw this week.

Researchers from Tripwire found the stack-based buffer overflow vulnerability in SonicWall’s Network Security Appliance (NSA), or more specifically, its underlying SonicOS software.

According to Tripwire security researcher Craig Young, who discovered the bug, the problem exists in the HTTP/HTTPS service used for product management and SSL VPN remote access. It can apparently be triggered by an unauthenticated HTTP request involving a custom protocol handler.

“An unskilled attacker can use this flaw to cause a persistent denial of service condition,” Young continued.

“Tripwire VERT has also confirmed the ability to divert execution flow through stack corruption indicating that a code execution exploit is likely feasible. This flaw exists pre-authentication and within a component (SSLVPN) which is typically exposed to the public internet.”

With over 795,000 SonicWall devices exposed according to a Shodan search made by Tripwire on Wednesday, the bug could be exploited to cause widespread damage.

According to SonicWall, the vulnerability has a CVSS score of 9.4, perhaps a reflection of the fact it could lead not only to denial of service but also arbitrary remote code execution.

The affected versions are: SonicOS 6.5.4.7-79n and earlier, SonicOS 6.5.1.11-4n and earlier, SonicOS 6.0.5.3-93o and earlier, SonicOSv 6.5.4.4-44v-21-794 and earlier and SonicOS 7.0.0.0-1.

The vendor released patches on Monday.

VPN systems are increasingly being targeted by attackers looking to find a way into corporate systems, given the large numbers of remote workers currently reliant on them.

In April it was confirmed that cyber-criminals were exploiting known bugs in Citrix and Pulse Secure VPNs to deploy ransomware in hospitals, while just this week it emerged that other attackers were chaining VPN exploits with Zerologon to compromise Active Directory (AD) identity services.

SonicWall sent Infosecurity a statement to confirm it takes every vulnerability disclosure seriously.

“Immediately upon discovery, SonicWall researchers conducted extensive testing and code review to confirm the third-party research. This analysis led to the discovery of additional unique vulnerabilities to virtual and hardware appliances requiring CVE listings based on CVSS,” it explained.

“The PSIRT team worked to duplicate the issues and develop, test and release patches for the affected products. At this time, SonicWall is not aware of a vulnerability that has been exploited or that any customer has been impacted.”

What’s hot on Infosecurity Magazine?