Tripwire VERT has identified a stack-based buffer overflow in SonicWall Network Security Appliance (NSA). The flaw can be triggered by an unauthenticated HTTP request involving a custom protocol handler. The vulnerability exists within the HTTP/HTTPS service used for product management as well as SSL VPN remote access.
Exposure and Impact
An unskilled attacker can use this flaw to cause a persistent denial of service condition. Tripwire VERT has also confirmed the ability to divert execution flow through stack corruption indicating that a code execution exploit is likely feasible. This flaw exists pre-authentication and within a component (SSLVPN) which is typically exposed to the public Internet. As of the date of discovery, a Shodan search for the affected HTTP server banner indicated 795,357 hosts.
SonicWall has indicated that the following versions are vulnerable:
- SonicOS 220.127.116.11-79n and earlier
- SonicOS 18.104.22.168-4n and earlier
- SonicOS 22.214.171.124-93o and earlier
- SonicOSv 126.96.36.199-44v-21-794 and earlier
- SonicOS 188.8.131.52-1
Remediation & Mitigation
SonicWall has released updates to remediate this flaw. SSL VPN portals may be disconnected from the Internet as a temporary mitigation before the patch is applied.
SonicWall has indicated that the following versions include a fix for this issue:
- SonicOS 184.108.40.206-83n
- SonicOS 220.127.116.11-1n
- SonicOS 18.104.22.168-94o
- SonicOS 6.5.4.v-21s-987
- Gen 7 22.214.171.124-2 and onwards
Tripwire IP360 starting with ASPL-909 contains remote heuristic detection of the vulnerable service.
More information about detecting possible attacks will be shared as needed after more system owners have had an opportunity to patch.