800,000 SonicWall VPNs vulnerable to new remote code execution bug

VPN vulnerabilities — the gift that keeps on giving (to attackers).
Written by Catalin Cimpanu, Contributor
Image: SonicWall

Almost 800,000 internet-accessible SonicWall VPN appliances will need to be updated and patched for a major new vulnerability that was disclosed on Wednesday.

Also: The best VPNs in 2020

Discovered by the Tripwire VERT security team, CVE-2020-5135 impacts SonicOS, the operating system running on SonicWall Network Security Appliance (NSA) devices.

SonicWall NSAs are used as firewalls and SSL VPN portals to filter, control, and allow employees to access internal and private networks.

Tripwire researchers say SonicOS contains a bug in a component that handles custom protocols.

The component is exposed on the WAN (public internet) interface, meaning any attacker can exploit it, as long as they're aware of the device's IP address.

Tripwire said exploiting the bug is trivial even for unskilled attackers. In its simplest form, the bug can cause a denial of service and crash devices, but "a code execution exploit is likely feasible."

The security firm said it reported the bug to the SonicWall team, which released patches on Monday.

On Wednesday, when it disclosed the CVE-2020-5135 bug on its blog, Tripwire VERT security researcher Craig Young said the company had identified 795,357 SonicWall VPNs that were connected online and were likely to be vulnerable.

CVE-2020-5135 is considered a critical bug, with a rating of 9.4 out of 10, and is expected to come under active exploitation once proof-of-concept code is made publicly available. Exploiting the vulnerability doesn't require the attacker to have valid credentials as the bug manifests before any authentication operations.

The bug is also SonicWall's second major bug this year, after CVE-2019-7481, disclosed earlier this winter.

Tenable and Microsoft researchers have shared this week Shodan dorks for identifying SonicWall VPNs and getting them patched.

"At this time, SonicWall is not aware of a vulnerability that has been exploited or that any customer has been impacted," a spokesperson told ZDNet in an email.

Updated at 10:45am ET with statement from SonicWall.

Editorial standards