skout-blog

Cybersecurity Threat Advisory 0047-21: Buffer Overflow in HTTP Request Header Leads to Partial Memory Leak (SonicWall)

Threat Update

On June 23, security researchers reported that SonicWall’s stack-based Buffer Overflow vulnerability from late last year was only partially patched, yielding another attack vector for unpatched systems. A threat actor can send malicious requests to the firewall to execute code remotely and gain a foothold into an unpatched environment through partial memory leaks. SKOUT recommends patching all affected SonicWall VPN appliances as soon as possible.

Technical Detail & Additional Information

WHAT IS THE THREAT?

SonicWall VPN appliances had a critical vulnerability (CVE-2020-5135) in October of last year that delineated a stack-based Buffer Overflow. On June 23, a new critical vulnerability was identified that is tangent to the October vulnerability as researchers realized that the vulnerability from last year was only partially patched. Identified as CVE-2021-20019, Sonic’s team reported that “SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall.”

WHY IS IT NOTEWORTHY?

All critical vulnerabilities that allow a threat actor to execute arbitrary code should be taken very seriously. Left unpatched, a threat actor could gain an initial foothold on your environment that could lead to lateral movement, persistence, and privilege escalation. The vulnerability resides in the web service used for VPN systems and product management. The exploits Proof-of-Concept details an unauthenticated HTTP request with custom protocols.

WHAT IS THE EXPOSURE OR RISK?

As reported by SonicWall in their advisory, this exploit “affects SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.” Left unpatched, an attacker can send these malicious HTTP/HTTPS custom protocol requests to your firewall environment to gain access to your systems.

WHAT ARE THE RECOMMENDATIONS?

SKOUT recommends to patch any vulnerable SonicWall platforms as soon as possible. Please view the following tables for the patch releases for specific SonicOS platforms:

Platforms: NSa, TZ, NSsp (GEN7)
SonicOS Running VersionSonicOS Patch Release (Update to version or later)
NSa,TZ- 7.0.0-713 and older7.0.0-R906 and later, 7.0.1-R1456
NSsp – below < 7.0.0.3767.0.0.376 and later, 7.0.1-R579
Platforms: NSv (Virtual: GEN7)
SonicOS Running VersionSonicOS Patch Release (Update to version or later)
NSsp- 7.0.1-R1036 and older7.0.1-R1282/1283
Platforms: NSa, TZ, SOHO W, SuperMassive 92xx/94xx/96xx (GEN6+)
SonicOS Running VersionSonicOS Patch Release (Update to version or later)
6.5.4.8-83n and older6.5.4.8-89n
Platforms: NSsp 12K, SuperMassive 9800
SonicOS Running VersionSonicOS Patch Release (Update to version or later)
6.5.1.12-3n and olderPending Release
Platforms: SuperMassive 10k
SonicOS Running VersionSonicOS Patch Release (Update to version or later)
6.0.5.3-94o and olderPending Release
Platforms: NSv (Virtual: VMWare/Hyper-V/AWS/Azure/KVM)
SonicOS Running VersionSonicOS Patch Release (Update to version or later)
SonicOSv – 6.5.4.4-44v-21-955 and older6.5.4.4-44v-21-1288

REFERENCES

For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.