SonicWall Oct. 2020 Patch for Critical VPN Bug – ‘insufficient’!

SonicWall Oct. 2020 Patch for Critical VPN Bug – ‘insufficient’!

Company SonicWall has finally rolled out the complete fix this week for an RCE flaw affecting some 800,000 devices that could result in crashes or prevent users from connecting to corporate resources.

A patch released in Oct. for a critical SonicWall VPN bug was insufficient to fix the problem, leaving more than 800,000 devices vulnerable to remote code execution (RCE) for months, one of the researchers who found the flaw has found.

Buffer Overflow Vulnerability

SonicWall originally patched the stack-based buffer overflow vulnerability in the SonicWall Network Security Appliance (NSA), tracked as CVE-2020-5135, in Oct.

However, Craig Young, a computer security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT), explained that the initial patch for the vulnerability was “botched,” needing a “one- or 2-line fix” to be complete, he wrote in a report published Tues., which details the specifics of where the fix went wrong.

Complete Patch

Although SonicWall was aware of the problem soon after the fix was released, it only released a complete patch this week, Young wrote.

“I had expected that a patch would probably come out quickly but, fast-forward to March & I still had not heard back,” he wrote. “I reconnected with their PSIRT [Product Security Incident Response Team] on Mar. 1, 2021, for an update, but ultimately it took until well into June before an advisory could be released.”

Where It Went Wrong

Young & Nikita Abramov, application analysis specialist at Positive Technologies (PT), were credited in Oct. with finding the flaw, which exists within the HTTP/HTTPS service used for product management and SSL VPN remote access.

The vulnerability could allow an unskilled attacker to trigger a persistent denial-of-service (DoS) condition using an unauthenticated HTTP request involving a custom protocol handler, as well as spread further damage, Young wrote in his analysis at the time.

Abramov & Young both reported the bug to SonicWall around the same time in late Sept., & the company gave Young a date of Oct. 5 for a patch to resolve the problem. That date later was moved up to Oct. 14, he commented, which is when SonicWall also acknowledged that it had indeed issued a patch for the flaw.

Microsoft Azure

However, after the patch was released, Young tested a SonicWall VPN on Microsoft Azure to confirm how it responded to a proof-of-concept exploit he had devised for the flaw & found that it was still vulnerable. However, though it did not crash the system, the exploit payload did trigger a flood of binary data in response, he wrote, providing a screenshot of the result in his analysis.

“As you can see from the screenshot, there are values in the binary data which certainly look like they could be memory addresses,” Young wrote.

Leaked Memory

“Although I never observed recognisable text in the leaked memory, I believe this output could vary based on how the target system is used. I also suspect that the values in my output are in fact memory addresses which could be a useful information leak for exploiting an RCE bug.”

Young’s final assessment of his test was that the fix was incomplete, he commented “The unbounded string copy was replaced with an appropriate memory safe function, but the return value was not properly considered,” he wrote.

Security Advisory

Young reported his findings to SonicWall PSIRT on Oct. 6 & followed up several times before receiving a response on Oct. 9 that “confirmed my expectation that this was the result of an improper fix for CVE-2020-5135 & told me that the patched firmware versions had already started to become available on as well as via Azure,” he wrote.

6 days later, Young stated he received a response from the company that he would be informed when the memory-dump issue he identified was resolved & ready for release. He followed up again in Mar. when he still had not heard back, he commented.

Other Bugs

Ultimately, it would take until today, this Wed., June 22, before SonicWall would publicly post the advisory for the updated patch to the vulnerability, Young wrote.

The security advisory also patches a number of other bugs in SonicWall platforms, a complete list of which is available in both the company’s post & Young’s analysis.