New findings have emerged that show a critical SonicWall vulnerability disclosed last year, which was initially thought to have been patched by the company, is still an issue.
In October 2020, a critical stack-based Buffer Overflow bug (CVE-2020-5135) in the SonicWall network was discovered, which affected over 800,000 SonicWall virtual private networks (VPNs). The vulnerability allowed remote attackers to execute code on the affected devices and cause Denial of Service (DoS).
Now, the original researchers who discovered the flaw, say the bug was not properly patched. Hence, a new identifier has been created for it: CVE-2021-20019.
Craig Young and Nikita Abramov discovered a critical stack-based vulnerability in SonicWall’s VPN firewalls in October 2018. The researcher from VERT who authored the proof-of-concept for the SonicWall exploit has now retested it and concluded that the fix was unsuccessful.
“I decided to spin up a SonicWall instance on Azure to confirm how it responded to my proof-of-concept exploit. In some past research, I have observed differences in vulnerable behavior related to hardware-based acceleration utilizing a separate code path,” says Young in a blog post.
If in the past, an attacker who exploited the PoC vulnerability could have caused a system crash, now they could have netted a stream of binary data in the HTTP response instead. According to Young, the binary data returned by HTTP responses could be comprised of memory addresses that could allow an attacker to perform an RCE.
“Although I never observed recognizable text in the leaked memory, I believe this output could vary based on how the target system is used. I also suspect that the values in my output are in fact memory addresses which could be a useful information leak for exploiting an RCE bug,” said the researcher.
Young has reported the flaw to SonicWall, and after a while SonicWall’s PSIRT stated:
“This [vulnerability has] been assigned CVE-2021-20019 and a patch would be released in [early 2021]…”
“SonicWall was made aware of, verified, tested and patched a non-critical buffer overflow vulnerability that impacted versions of SonicOS. SonicWall is not aware of this vulnerability being exploited in the wild. As always, SonicWall strongly encourages organizations maintain patch diligence for all security products,” a SonicWall spokesperson told BleepingComputer.
SonicWall has released advisories for this vulnerability with further information.