The vulnerability could be exploited by sending an HTTP request using a custom protocol handler.
Nikita Abramov, an expert from Positive Technologies, discovered 11 vulnerabilities (CVE-2020-5133, CVE-2020-5134, CVE-2020-5135, CVE-2020-5136, CVE-2020-5137, CVE-2020-5138, CVE-2020- 5139, CVE-2020-5140, CVE-2020-5141, CVE-2020-5142, and CVE-2020-5143) in the SonicWall Network Security Appliance (NSA) software. The most dangerous of these is critical and is contained in the HTTP / HTTPS service used for product management as well as SSL VPN remote access.
An attacker could exploit this vulnerability by sending an unauthenticated HTTP request using a custom protocol handler to cause a denial of service condition. As noted by experts, it is possible to redirect the flow of execution through stack corruption, which indicates the possible execution of arbitrary code.
However, to carry out a code execution attack, an attacker would need to exploit an information leak and do some analysis.
“If someone takes the time to prepare an RCE payload, they will most likely be able to create a large botnet using a worm,” the expert explained.
So far, there have been no indications of exploitation of the vulnerability, but the results of a Shodan search query have identified about 460,000 vulnerable devices.
The vulnerability affects SonicOS versions 220.127.116.11-79n and later, SonicOS 18.104.22.168-4n and later, SonicOS 22.214.171.124-93o and later, SonicOSv 126.96.36.199-44v-21-794 and later, and SonicOS 188.8.131.52-1.
SonicWall has released updates that address the discovered vulnerabilities. SSL VPN portals may be disconnected from the Network as a workaround before applying the patch.