Critical Vulnerability for SonicWall VPN (CVE-2020-5135)

About

According to a Security Advisory released by SonicWall, there are various vulnerabilities which impact SonicWall Network Security Appliances (NSA).  The most critical vulnerability, CVE-2020-5135 could allow a non-authenticated threat actor to execute malicious code remotely on a SonicWall VPN portal.

Vulnerable Versions:

  • SonicOS 6.5.4.6-79n and earlier
  • SonicOS 6.5.1.11-4n and earlier
  • SonicOS 6.0.5.3-93o and earlier
  • SonicOSv 6.5.4.4-44v-21-794 and earlier
  • SonicOS 7.0.0.0-1

What Does This Mean to our Partners?

If you’re running a vulnerable version of SonicOS on your NSA, you risk exploitation of a critical bug that could result in a threat actor compromising your NSA. Threat actors have previously exploited critical bugs in Network Security Appliances to deploy Ransomware, or conduct espionage.

There is no known public exploit / code, but Remote Code Execution is potentially attainable with this bug.

What You Can Do to Protect Yourself and Your Customers

  • Ensure your SonicOS version is patched to the latest version
  • Review accounts to ensure no new VPN accounts have been created
  • Implement multi-factor authentication (MFA) to prevent threat actors from being to authenticate with compromised credentials.
  • Consider resetting user credentials
    • If a malicious actor previously exploited the vulnerability to collect legitimate credentials, these credentials would still be valid after patching
  • Audit all VPN logins
    • Create queries / reports on the data for suspicious logins, times, and locations.
  • Scan your SonicWall NSA for the CVE-2020-5135 vulnerability.

Ensure you have the SNAP agent rolled out to EVERY device in the network, if the threat actors abuse this vulnerability we can detect lateral movement and reconnaissance that occurs post-exploitation.

Get More Information

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0010

https://threatpost.com/critical-sonicwall-vpn-bug/160108/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5135

BlackPoint Cyber