Nearly 800,000 SonicWall VPN devices are affected by a very serious security vulnerability
According to an emergency cybersecurity warning issued on October 14, nearly 800,000 SonicWall VPN devices that can access the internet are currently affected by an extremely serious security vulnerability and need to be patch updates as soon as possible.
Discovered by the security organization Tripwire VERT, the vulnerability has identifier CVE-2020-5135, and is believed to have a negative impact on SonicOS, the operating system that runs on SonicWall Network Security Appliance devices ( NSA). SonicWall NSA is commonly used as firewall and SSL VPN gateway systems to filter, control and allow access to private and local networks.
Tripwire VERT researchers said on the SonicOS platform a bug exists in the component handling custom protocols. This component is displayed on the WAN (public internet) interface, meaning that any attacker can exploit the vulnerability, as long as they have the IP address of the device in hand .
This vulnerability is dangerous in that it can be easily exploited even by hackers who don't have a lot of experience or just average skills. In its simplest form, CVE-2020-5135 can cause denial of service and device crashes. Tripwire VERT said it reported the bug to the SonicWall team on October 11. Patches were immediately developed and are expected to be available after a few days.
SonicWall publishes vulnerability information
In parallel with the discovery of CVE-2020-5135 vulnerability, Tripwire VERT experts have also identified at least 795,357 online connected SonicWall VPN devices are at high risk of being hacked through this vulnerability.
CVE-2020-5135 is considered a critical bug, with a rating of 9.4 out of 10 and is expected to be actively exploited once its proof-of-concept code is publicly announced. Exploitation of the security vulnerability does not require an attacker to have valid credentials because the error occurs before any authentication.
CVE-2020-5135 is also the second major vulnerability found on SonicWall products in 2020. Prior to that was the case of CVE-2019-7481, which was revealed earlier this year. As of now, SonicWall has not recorded any reports of vulnerabilities being exploited or customers encountered related issues.
Discovering two serious RCE vulnerabilities on Windows, Microsoft had to issue an emergency patch
Adobe fixes a serious security hole in Flash Player
Microsoft updated Patch Tuesday in October 2020, patching the vulnerability "Ping of Death" on Windows 10
The new vulnerability causes Windows Update to be misused to execute malicious files