⚠ Actively exploited
Added to CISA KEV on 2022-03-15. Federal agencies required to patch by 2022-04-05. Required action: Apply updates per vendor instructions..

CVE-2020-5135Classic Buffer Overflow in Sonicos

CWE-120Classic Buffer OverflowCWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer7 documents6 sources
Severity
9.8CRITICALNVD
EPSS
22.6%
top 4.14%
CISA KEV
KEV
Added 2022-03-15
Due 2022-04-05
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Sonicwall SonicosSonicwall Sonicosv
Timeline
PublishedOct 12
KEV addedMar 15
KEV dueApr 5
Latest updateMay 24
CISA Required Action: Apply updates per vendor instructions.

Description

A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending a malicious request to the firewall. This vulnerability affected SonicOS Gen 6 version 6.5.4.7, 6.5.1.12, 6.0.5.3, SonicOSv 6.5.4.v and Gen 7 version 7.0.0.0.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDsonicwall/sonicosv6.5.4.4
NVDsonicwall/sonicos6.5.0.06.5.1.11+3
CVEListV5sonicwall/sonicos5 versions+4

🔴Vulnerability Details

3
GHSA
GHSA-vw5m-894x-7rp4: A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending2022-05-24
CVEList
CVE-2020-5135: A buffer overflow vulnerability in SonicOS allows a remote attacker to cause Denial of Service (DoS) and potentially execute arbitrary code by sending2020-10-12
VulnCheck
SonicWall SonicOS Buffer Overflow Vulnerability2020

📋Vendor Advisories

1
CISA
SonicWall SonicOS Buffer Overflow Vulnerability2022-03-15
CVE-2020-5135 — Classic Buffer Overflow in Sonicos | cvebase