SonicWall ‘Botches’ October Patch for Critical VPN Bug

A patch rolled out in October for a critical SonicWall VPN bug turned out to be insufficient to fix the problem, leaving more than 800,000 devices vulnerable to remote code execution (RCE) for months, one of the researchers who identified the flaw has found.

SonicWall originally patched the stack-based buffer overflow vulnerability in the SonicWall Network Security Appliance (NSA), tracked as CVE-2020-5135, back in October.

However, Craig Young, a computer security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT), said the initial patch for the vulnerability was “botched,” needing a “one- or two-line fix” to be complete, he wrote in a report published Tuesday, which details the specifics of where the fix went wrong.

Moreover, though SonicWall was aware of the problem soon after the fix was released, it only released a complete patch this week, Young wrote.

“I had expected that a patch would probably come out quickly but, fast-forward to March and I still had not heard back,” he wrote. “I reconnected with their PSIRT [Product Security Incident Response Team] on March 1, 2021, for an update, but ultimately it took until well into June before an advisory could be released.”

Where It Went Wrong

Young and Nikita Abramov, application analysis specialist at Positive Technologies (PT), were credited back in October with finding the flaw, which exists within the HTTP/HTTPS service used for product management and SSL VPN remote access.

The vulnerability could allow an unskilled attacker to trigger a persistent denial-of-service (DoS) condition using an unauthenticated HTTP request involving a custom protocol handler, as well as spread further damage, Young wrote in his analysis at the time.

Abramov and Young both reported the bug to SonicWall around the same time in late September, and the company gave Young a date of Oct. 5 for a patch to resolve the problem. That date later was pushed up to Oct. 14, he said, which is when SonicWall also acknowledged to Threatpost that it had indeed issued a patch for the flaw.

However, after the patch was released, Young tested a SonicWall VPN on Microsoft Azure to confirm how it responded to a proof-of-concept exploit he’d devised for the flaw and found that it was still vulnerable. However, though it did not crash the system, the exploit payload did trigger a flood of binary data in response, he wrote, providing a screenshot of the result in his analysis.

“As you can see from the screenshot, there are values in the binary data which certainly look like they could be memory addresses,” Young wrote. “Although I never observed recognizable text in the leaked memory, I believe this output could vary based on how the target system is used. I also suspect that the values in my output are in fact memory addresses which could be a useful information leak for exploiting an RCE bug.”

Young’s final assessment of his test was that the fix was incomplete, he said. “The unbounded string copy was replaced with an appropriate memory safe function, but the return value was not properly considered,” he wrote.

Delayed Security Advisory

Young reported his findings to SonicWall PSIRT on Oct. 6 and followed up several times before receiving a response on Oct. 9 that “confirmed my expectation that this was the result of an improper fix for CVE-2020-5135, and told me that the patched firmware versions had already started to become available on mysonicwall.com as well as via Azure,” he wrote.

Six days later, Young said he received a response from the company that he would be informed when the memory-dump issue he identified was resolved and ready for release. He followed up again in March when he still had not heard back, he said.

Ultimately, it would take until this Wednesday, June 22, before SonicWall would publicly post the advisory for the updated patch to the vulnerability, Young wrote.

The security advisory also patches a number of other bugs in SonicWall platforms, a complete list of which is available in both the company’s post and Young’s analysis.

Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free!