For an important new bug that was revealed on Wednesday, nearly 800,000 internet-accessible SonicWall VPN appliances will need to be updated and fixed.
CVE-2020-5135, which was discovered by the Tripwire VERT security team, affects SonicOS, the operating system running on SonicWall Network Security Appliance (NSA) devices.
They are used as firewalls and SSL VPN portals to filter, control, and let employees access internal and private networks.
Tripwire researchers suggest SonicOS consists of a bug in a module that deals with custom protocols.
The module is exposed on the WAN (public internet) interface, which means any threat actor can easily exploit it, they know the device’s IP address.
The company said abusing the flaw is inconsequential even for inexpert attackers. In its meekest form, the bug can cause a denial of service and crash devices, but “a code execution exploit is likely feasible.”
Tripwire said it reported the bug to the SonicWall team, which released fixes on Monday.
On Wednesday, when it revealed the CVE-2020-5135 flaw on its blog, Tripwire VERT security researcher Craig Young said the company had recognized 795,357 SonicWall VPNs that were linked online and were likely to be susceptible.
The bug is also SonicWall’s second chief flaw this year, after CVE-2019-7481, unveiled earlier this winter.