CVE-2020-5135 - Buffer Overflow in SonicWall VPNs - Patch Now

Published: 2020-10-17
Last Updated: 2020-10-17 16:22:00 UTC
by Rick Wanner (Version: 1)
1 comment(s)

Discovered by Tripwire VERT, CVE-2020-5135 is a buffer overflow vulnerability in the popular SonicWall Network Security Appliance (NSA) which can permit an unauthenticated bad guy to execute arbitrary code on the device.

The following versions of SonicWall are vulnerable:
SonicOS and earlier
SonicOS and earlier
SonicOS and earlier
SonicOSv and earlier

After some research, I am unclear how many devices may be vulnerable to this attack. Tenable/Tripwire implies it could be up to approximately 800,000 devices (as detected by Shodan).  

I expect that not all of these devices have the VPN enabled, and some have been updated already, so the number is probably quite a bit lower, but still significant. 

I have not been able to find a way to remotely detect which devices are vulnerable.  Nmap can be used to detect SonicWall instances, but does not provide enough information to determine the OS version or probe for the vulnerability.

80/tcp    open     http-proxy     syn-ack ttl 53 SonicWALL SSL-VPN http proxy
|_http-server-header: SonicWALL SSL-VPN Web Server
443/tcp   open     ssl/http-proxy syn-ack ttl 53 SonicWALL SSL-VPN http proxy
|_http-server-header: SonicWALL SSL-VPN Web Server
50001/tcp filtered unknown        no-response

If any of you know of a reliable scanning technique to detect this vulnerability please let me know at our contact page and I will update the diary.

SonicWall released updates last week which fix this vulnerability and several others. Although no known exploit has been detected in the wild.  I expect, give recent historical attacks on VPNs, I would expect this one will get a lot of interest from bad guys. I strongly recommend updating as soon as reasonable.

More information can be found at the following links:


-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - - Twitter:namedeplume (Protected)

1 comment(s)


Even though the issue is interesting and promising for certain attackers, our Cyber Threat Intelligence isn't observing any important research or exploitation activity at the moment. Most malicious actors might be focusing on the latest Microsoft patchday right now...

Diary Archives