SonicWall patches 11 firewall vulnerabilities

Firewall-builder SonicWall has patched a total of 11 Common Vulnerabilities and Exposures (CVEs) disclosed in its SonicOS operating system by researchers at Positive Technologies, one of which has been assigned a critical CVSS score of 9.4.

The most serious vulnerability, CVE-2020-5135, is a buffer overflow vulnerability in SonicOS Gen 6, versions 6.5.4.7, 6.5.1.12, 6.0.5.3 and SonicOSv 6.5.4.v. It could be used against affected products by malicious actors to cause denial of service (DoS) and execute arbitrary code.

“The tested solution uses a SSL-VPN remote access service on firewalls, and users can be disconnected from internal networks and their workstations in case of a DoS attack,” said Positive Technologies researcher Nikita Abramov, who worked on the disclosure alongside Tripwire’s Craig Young.

“If attackers manage to execute arbitrary code, they may be able to develop an attack and penetrate the company’s internal networks,” said Abramov.

A second vulnerability, CVE-2020-5133, was rated 8.2 on the CVSS matrix, and could allow a remote, unauthenticated attacker to cause DoS attacks due to buffer overflow, leading to a firewall crash. Further failures in SonicOS could also be caused by successful exploitation of CVEs 2020-5137, 5138, 5139 and 5140, all exploitable remotely, and CVEs 2020-5134 and 5136, which are less severe as to exploit them would require authentication.

Additional detected vulnerabilities, Positive Technologies said, include CVE-2020-5141, which could enable a remote, unauthenticated attacker to brute force a virtual assist ticket identity in the SSL-VPN service; CVE-2020-5142, a cross-site scripting (XSS) vulnerability which enables a remote, unauthenticated attacker to execute arbitrary JavaScript code in the firewall SSL-VPN portal; and CVE-2020-5143, which exists in the SonicOS SSL-VPN login page and could allow a remote, unauthenticated attacker to perform firewall management administrator username enumeration based on the server responses.

SonicWall, which is behind a fifth of gateway security appliances according to IDC statistics, said that it was not aware of any of the addressed vulnerabilities having been proactively exploited by cyber criminals so far.

Any customer using an impacted product is advised to upgrade their firmware – a valid support contract is not required to do so.

SonicWall told Computer Weekly it maintains the highest standards to ensure the integrity of its products, solutions, services, technology and any related IP and, as such, takes every disclosure or discovery very seriously.

“This is best practice for vendor-researcher collaboration in the modern era,” said SonicWall head of quality engineering, Aria Eslambolchizadeh.

“These types of open and transparent relationships protect the integrity of the online landscape, and ensure better protection from advanced threats and emerging vulnerabilities before they impact end users, as was the case here.”

The full list of disclosed vulnerabilities is available from SonicWall, as well as instructions and guidance on how to update at-risk products.