Stack-Based Buffer Overflow and SonicOS SSL VPN Tunnel Vulnerability
First Published:10/16/2023
Last Updated:10/18/2023
1) Post-authentication Stack-Based Buffer Overflow Vulnerability in the multiple URL endpoints leads to a firewall crash.
CVE IDs - CVE-2023-39276, CVE-2023-39277, CVE-2023-39278, CVE-2023-39279, CVE-2023-39280, CVE-2023-41711, CVE-2023-41712
CVSS Score: 7.7
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Discoverer’s contact information: Aliz Hammond of watchTowr (www.watchtowr.com)
Affected Products: SonicWall Gen6 and Gen7 firewalls
Description of vulnerability:
Post-authentication Stack-Based Buffer Overflow Vulnerability in the multiple URL endpoints of SonicOS Management web interface and in the SSLVPN portal was discovered and confirmed in certain SonicOS firmware versions (SNWLID-2023-0012). This potentially allows an authenticated remote user to send a malicious request with a specially-crafted URL to create a Denial of Service (DoS) that may cause an impacted firewall appliance to crash.
IMPORTANT: SonicWall is not aware of active exploitation in the wild. There have not been any reports of malicious use of this vulnerability reported to SonicWall.
Product Impact:
Please review the table below to see if your firewall appliance is impacted. If your appliance is using an impacted firmware version, please follow the provided patch guidance.
Impacted Platforms | Impacted Version |
Gen7 - TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSv 270, NSv 470, NSv 870 | 7.0.1-5119 and older versions |
NSsp 15700 | 7.0.1-5129 and older versions |
Gen6 SonicOSv - NSv (10, 25, 50, 100, 200, 300, 400, 800, 1600) on VMWare NSv (10, 25, 50, 100, 200, 300, 400, 800, 1600) on Hyper-V NSv (10, 25, 50, 100, 200, 300, 400, 800, 1600) on KVM NSv (200, 400, 800, 1600) on AWS NSv (200, 400, 800, 1600) on AWS-PAYG NSv (200, 400, 800, 1600) on Azure | 6.5.4.4-44v-21-2079 and older versions |
Gen6 Firewalls -SOHOW, TZ 300, TZ 300W, TZ 400, TZ 400W, TZ 500, TZ 500W, TZ 600, NSA 2600, NSA 2650, NSA 3600, NSA 3650, NSA 4600, NSA 4650, NSA 5600, NSA 5650, NSA 6600, NSA 6650, SM 9200, SM 9250, SM 9400, SM 9450, SM 9600, SM 9650, TZ 300P, TZ 600P, SOHO 250, SOHO 250W, TZ 350, TZ 350W | 6.5.4.12-101n and older versions |
Remediation
The vulnerability has been patched, users of older versions of SonicWall firmware should upgrade to below mentioned latest version immediately.
Impacted Platforms | Fixed Version |
Gen7 - TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSA2700, NSA3700 | 7.0.1-5145 (R5175) and higher versions |
Gen7 - NSA4700, NSA5700, NSA6700, NSSP10700, NSSP11700, NSSP13700 | 7.0.1-5145 (R5176) and higher versions |
Gen7 - NSv (VMWARE, AWS, AWS-PAYG, AZURE, HYPER-V) | 7.0.1-5145 (R2363) and higher versions |
Gen7 - NSv (KVM) | 7.0.1-5145 (R2364) and higher versions |
Gen7 – NSSP15700 | 7.0.1-5145 (R1468) and higher versions |
Gen6 SonicOSv - NSv (10, 25, 50, 100, 200, 300, 400, 800, 1600) on VMWare NSv (10, 25, 50, 100, 200, 300, 400, 800, 1600) on Hyper-V NSv (10, 25, 50, 100, 200, 300, 400, 800, 1600) on KVM NSv (200, 400, 800, 1600) on AWS NSv (200, 400, 800, 1600) on AWS-PAYG NSv (200, 400, 800, 1600) on Azure | 6.5.4.4-44v-21-2340 and higher versions |
Gen6 Firewalls - SOHOW, TZ 300, TZ 300W, TZ 400, TZ 400W, TZ 500, TZ 500W, TZ 600, NSA 2600, NSA 2650, NSA 3600, NSA 3650, NSA 4600, NSA 4650, NSA 5600, NSA 5650, NSA 6600, NSA 6650, SM 9200, SM 9250, SM 9400, SM 9450, SM 9600, SM 9650, TZ 300P, TZ 600P, SOHO 250, SOHO 250W, TZ 350, TZ 350W | 6.5.4.13-105n and higher versions |
When we were first notified of it: First noticed by external researcher and PSIRT received the report on 28th June 2023.
Has it been exploited in the wild: SonicWall PSIRT is not aware of active exploitation in the wild. No reports of a PoC have been made public, and malicious use of this vulnerability have not been reported to SonicWall.
2) Post-authentication Improper Privilege Management vulnerability in the SonicOS SSL VPN Tunnel allows users to elevate their privileges inside the tunnel.
CVE ID - CVE-2023-41715
CVSS Score: 6.4
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L
Discoverer’s contact information: Ta-Lun Yen of TXOne Networks
Affected Products: SonicWall Gen7 firewalls.
Description of vulnerability:
Post-authentication Improper Privilege Management vulnerability in the SonicOS SSL VPN Tunnel allows users to elevate their privileges inside the tunnel (SNWLID-2023-0012) and potentially allows access of restricted resources.
IMPORTANT: SonicWall is not aware of active exploitation in the wild. There have not been any reports of malicious use of this vulnerability reported to SonicWall.
Product Impact:
Please review the table below to see if your firewall appliance is impacted. If your appliance is using an impacted firmware version, please follow the provided patch guidance.
Impacted Platforms | Impacted Version |
Gen7 - TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSv 270, NSv 470, NSv 870 | 7.0.1-5119 and older versions |
NSsp 15700 | 7.0.1-5129 and older versions |
Gen6 SonicOSv - NSv (10, 25, 50, 100, 200, 300, 400, 800, 1600) on VMWare NSv (10, 25, 50, 100, 200, 300, 400, 800, 1600) on Hyper-V NSv (10, 25, 50, 100, 200, 300, 400, 800, 1600) on KVM NSv (200, 400, 800, 1600) on AWS NSv (200, 400, 800, 1600) on AWS-PAYG NSv (200, 400, 800, 1600) on Azure | 6.5.4.4-44v-21-2079 and older versions |
Gen6 Firewalls -SOHOW, TZ 300, TZ 300W, TZ 400, TZ 400W, TZ 500, TZ 500W, TZ 600, NSA 2600, NSA 2650, NSA 3600, NSA 3650, NSA 4600, NSA 4650, NSA 5600, NSA 5650, NSA 6600, NSA 6650, SM 9200, SM 9250, SM 9400, SM 9450, SM 9600, SM 9650, TZ 300P, TZ 600P, SOHO 250, SOHO 250W, TZ 350, TZ 350W | 6.5.4.12-101n and older versions |
Remediation
The vulnerability has been patched, users of older versions of SonicWall firmware should upgrade to below mentioned latest version immediately.
Impacted Platforms | Fixed Version |
Gen7 - TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSA2700, NSA3700 | 7.0.1-5145 (R5175) and higher versions |
Gen7 - NSA4700, NSA5700, NSA6700, NSSP10700, NSSP11700, NSSP13700 | 7.0.1-5145 (R5176) and higher versions |
Gen7 - NSv (VMWARE, AWS, AWS-PAYG, AZURE, HYPER-V) | 7.0.1-5145 (R2363) and higher versions |
Gen7 - NSv (KVM) | 7.0.1-5145 (R2364) and higher versions |
Gen7 – NSSP15700 | 7.0.1-5145 (R1468) and higher versions |
Gen6 SonicOSv - NSv (10, 25, 50, 100, 200, 300, 400, 800, 1600) on VMWare NSv (10, 25, 50, 100, 200, 300, 400, 800, 1600) on Hyper-V NSv (10, 25, 50, 100, 200, 300, 400, 800, 1600) on KVM NSv (200, 400, 800, 1600) on AWS NSv (200, 400, 800, 1600) on AWS-PAYG NSv (200, 400, 800, 1600) on Azure | 6.5.4.4-44v-21-2340 and higher versions |
Gen6 Firewalls - SOHOW, TZ 300, TZ 300W, TZ 400, TZ 400W, TZ 500, TZ 500W, TZ 600, NSA 2600, NSA 2650, NSA 3600, NSA 3650, NSA 4600, NSA 4650, NSA 5600, NSA 5650, NSA 6600, NSA 6650, SM 9200, SM 9250, SM 9400, SM 9450, SM 9600, SM 9650, TZ 300P, TZ 600P, SOHO 250, SOHO 250W, TZ 350, TZ 350W | 6.5.4.13-105n and higher versions |
When we were first notified of it: First noticed by external researcher and PSIRT received the report on 25th July 2023.
Has it been exploited in the wild: SonicWall PSIRT is not aware of active exploitation in the wild. No reports of a PoC have been made public, and malicious use of this vulnerability have not been reported to SonicWall.
