If you want to practice writing exploits and worms, there's a big hijacking hole in SonicWall firewall VPNs A critical vulnerability in a SonicWall enterprise VPN firewall can be exploited to crash the device or remotely execute code on it, reverse engineers said this week. The stack-based buffer overflow (CVE-2020-5135) uncovered by infosec outfit Tripwire can be triggered by an “unauthenticated HTTP request involving a custom …
SMA is a totally different product line, which is not affected.
What is sort of unclear to me(as a Sonicwall customer) and I have opened a support ticket this morning on it, is the Tenable blog says disabling SSL VPN on the firewall can work around the issue. I have not had SSL VPN enabled on my NSA firewalls in many years because, well last time I tried it, it was a basically unusable. The Sonicwall SMA appliance was an acquired technology I think(forgot from who) and was supposed to be a much better platform. In the end my org wasn't able to use SMA I think because of complications with tieing it into Duo at the time(this was 5 or 6 years ago, it may of been related to inline enrollment with Duo), so ended up going with Pulse Secure (still have Citrix Access gateway which was originally the SSL VPN product used, had to jump off of Citrix due to design problems with their OS X client at the time I had support tickets spanning more than 1 year on that before they finally came clean I guess, Windows clients were fine - I still use Citrix Access gateway to this day). Of course both Citrix and Pulse have had their share of vulnerabilities too.
Anyway, I asked them to clarify if by disabling SSL VPN entirely does that remove any exploitation possibility? I think it does for several of them, and am sort of assuming it does for all but their website(https://psirt.global.sonicwall.com/vuln-list) really lacks any details on this issue as of yet. They have another site https://www.sonicwall.com/support/product-notification/sonicwall-dos-xss-vulnerabilities/201015132843063/ which has more info, but again most of them seem specific to SSL VPN. No solid clarification as to which vulnerabilities are not an issue if SSL VPN is disabled.
Got the reply from support, who say that if you don't have SSL VPN enabled, and if you don't have management access enabled externally the risk of exploitation is very low. I assume perhaps there may be a way to exploit one of these things on an internal management interface but that's still unclear. The person who replied to my ticket's english wasn't that great but they said "So the conclusion here is that we do not need to do anything for SonicWall DoS & XSS Vulnerabilities as our setup is good.".
Hopefully they update the advisory to clarify this more.
Yep... well..
I can go one better than all this.....
I had been warning sonicwall for months that there was something "going on" with their firewalls, i had seen a " leveraged" attack against the back end to extract the config files via an embedded URL....
Even had it in the admin log, it stated failed.. but then again it does not show it as successful in the log if it works... had an ticket filed
Their attitude was piss poor even dismissive, then a couple of days after that, there was an attack that completely reset & cleared the firewalls, logs and all
again ... dismissive becasue they wanted logs to prove it.
at one point I had over 28,000 ip addresses from Russian "military" bases targeting our kit.
And so here we are...
Oh... and the "work from home " SSL VPN" was NOT enabled...
