SonicWall SonicOS Firewall Multiple Management Vulnerabilities (URGENT/11) - Nessus
Critical Plugin ID: 127107This page contains detailed information about the SonicWall SonicOS Firewall Multiple Management Vulnerabilities (URGENT/11) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 127107
Name: SonicWall SonicOS Firewall Multiple Management Vulnerabilities (URGENT/11)
Filename: sonicwall_SNWLID-2019-0009.nasl
Vulnerability Published: 2019-07-19
This Plugin Published: 2019-07-29
Last Modification Time: 2022-01-26
Plugin Version: 1.6
Plugin Type: remote
Plugin Family: Firewalls
Dependencies:
os_fingerprint.nasl
Required KB Items [?]: Host/OS
Vulnerability Information
Severity: Critical
Vulnerability Published: 2019-07-19
Patch Published: 2019-07-19
CVE [?]: CVE-2019-12255, CVE-2019-12256, CVE-2019-12257, CVE-2019-12258, CVE-2019-12259, CVE-2019-12260, CVE-2019-12261, CVE-2019-12262, CVE-2019-12263, CVE-2019-12264, CVE-2019-12265
CPE [?]: cpe:/o:sonicwall:sonicos
Synopsis
The remote host is affected by multiple vulnerabilities.
Description
According to its self-reported version, the remote SonicWall firewall is running a version of SonicOS that is affected by multiple vulnerabilities:
- Stack overflow in the parsing of IPv4 packets IP options. (CVE-2019-12256)
- TCP Urgent Pointer = 0 leads to integer underflow (CVE-2019-12255)
- TCP Urgent Pointer state confusion caused by malformed TCP AO option (CVE-2019-12260)
- TCP Urgent Pointer state confusion during connect to a remote host (CVE-2019-12261)
- TCP Urgent Pointer state confusion due to race condition (CVE-2019-12263)
- Heap overflow in DHCP Offer/ACK parsing in ipdhcpc (CVE-2019-12257)
- TCP connection DoS via malformed TCP options (CVE-2019-12258)
- Handling of unsolicited Reverse ARP replies (Logical Flaw) (CVE-2019-12262)
- Logical flaw in IPv4 assignment by the ipdhcpc DHCP client (CVE-2019-12264)
- DoS via NULL dereference in IGMP parsing (CVE-2019-12259)
- IGMP Information leak via IGMPv3 specific membership report (CVE-2019-12265)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to the relevant fixed version referenced in the vendor security advisory.
Public Exploits
Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Exploit-DB, GitHub)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the SonicWall SonicOS Firewall Multiple Management Vulnerabilities (URGENT/11) vulnerability:
- Exploit-DB: exploits/vxworks/dos/47233.py
[EDB-47233: VxWorks 6.8 - TCP Urgent Pointer = 0 Integer Underflow] - GitHub: https://github.com/ArmisSecurity/urgent11-detector
[CVE-2019-12258] - GitHub: https://github.com/sud0woodo/Urgent11-Suricata-LUA-scripts
[CVE-2019-12255: Suricata LUA scripts to detect CVE-2019-12255, CVE-2019-12256, CVE-2019-12258, and ...] - GitHub: https://github.com/sud0woodo/Urgent11-Suricata-LUA-scripts
[CVE-2019-12256: Suricata LUA scripts to detect CVE-2019-12255, CVE-2019-12256, CVE-2019-12258, and ...] - GitHub: https://github.com/sud0woodo/Urgent11-Suricata-LUA-scripts
[CVE-2019-12258: Suricata LUA scripts to detect CVE-2019-12255, CVE-2019-12256, CVE-2019-12258, and ...] - GitHub: https://github.com/sud0woodo/Urgent11-Suricata-LUA-scripts
[CVE-2019-12260: Suricata LUA scripts to detect CVE-2019-12255, CVE-2019-12256, CVE-2019-12258, and ...]
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS Score Source [?]: CVE-2019-12262
CVSS V2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C
| CVSS Base Score: | 7.5 (High) |
| Impact Subscore: | 6.4 |
| Exploitability Subscore: | 10.0 |
| CVSS Temporal Score: | 5.9 (Medium) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 5.9 (Medium) |
| CVSS Base Score: | 9.8 (Critical) |
| Impact Subscore: | 5.9 |
| Exploitability Subscore: | 3.9 |
| CVSS Temporal Score: | 8.8 (High) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 8.8 (High) |
STIG Risk Rating: High
Go back to menu.
Plugin Source
This is the sonicwall_SNWLID-2019-0009.nasl nessus plugin source code. This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(127107);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/01/26");
script_cve_id(
"CVE-2019-12255",
"CVE-2019-12256",
"CVE-2019-12257",
"CVE-2019-12258",
"CVE-2019-12259",
"CVE-2019-12260",
"CVE-2019-12261",
"CVE-2019-12262",
"CVE-2019-12263",
"CVE-2019-12264",
"CVE-2019-12265"
);
script_xref(name:"IAVA", value:"2019-A-0274-S");
script_name(english:"SonicWall SonicOS Firewall Multiple Management Vulnerabilities (URGENT/11)");
script_summary(english:"Checks the version of SonicOS.");
script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version, the remote SonicWall firewall is running a version of SonicOS that is affected
by multiple vulnerabilities:
- Stack overflow in the parsing of IPv4 packets IP options. (CVE-2019-12256)
- TCP Urgent Pointer = 0 leads to integer underflow (CVE-2019-12255)
- TCP Urgent Pointer state confusion caused by malformed TCP AO option (CVE-2019-12260)
- TCP Urgent Pointer state confusion during connect to a remote host (CVE-2019-12261)
- TCP Urgent Pointer state confusion due to race condition (CVE-2019-12263)
- Heap overflow in DHCP Offer/ACK parsing in ipdhcpc (CVE-2019-12257)
- TCP connection DoS via malformed TCP options (CVE-2019-12258)
- Handling of unsolicited Reverse ARP replies (Logical Flaw) (CVE-2019-12262)
- Logical flaw in IPv4 assignment by the ipdhcpc DHCP client (CVE-2019-12264)
- DoS via NULL dereference in IGMP parsing (CVE-2019-12259)
- IGMP Information leak via IGMPv3 specific membership report (CVE-2019-12265)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0009");
# https://www.sonicwall.com/support/product-notification/?sol_id=190717234810906
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?06406a07");
script_set_attribute(attribute:"see_also", value:"https://armis.com/urgent11/");
# https://www.windriver.com/security/announcements/tcp-ip-network-stack-ipnet-urgent11/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c7d3d59d");
# https://go.armis.com/hubfs/White-papers/Urgent11%20Technical%20White%20Paper.pdf
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e1994faf");
script_set_attribute(attribute:"solution", value:
"Upgrade to the relevant fixed version referenced in the vendor security advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-12262");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/19");
script_set_attribute(attribute:"patch_publication_date", value:"2019/07/19");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/29");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:sonicwall:sonicos");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Firewalls");
script_copyright(english:"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("os_fingerprint.nasl");
script_require_keys("Host/OS");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
os = get_kb_item_or_exit("Host/OS");
if (os !~ "^SonicOS" ) audit(AUDIT_OS_NOT, "SonicWall SonicOS");
# SonicOS Enhanced 5.9.1.10-1o on a SonicWALL NSA 220
match = pregmatch(pattern:"^SonicOS(?: Enhanced)? ([0-9.]+)(?:-[^ ]*)? on a SonicWALL (.*)$", string:os);
if (isnull(match)) exit(1, "Failed to identify the version of SonicOS.");
version = match[1];
model = match[2];
fix = NULL;
# NSA, TZ, SOHO (GEN5)
if (version =~ "^5\." && (model =~ "^(NSA|TZ|SOHO)") ) {
if (version =~ "^5\.[0-8]\.")
fix = NULL; # Patch not required.
else if (version =~ "^5\.9\.0\.")
fix = "5.9.0.8";
else if (version =~ "^5\.9\.1\.")
fix = "5.9.1.13";
}
# NSA, TZ, SOHO, SuperMassive 92xx/94xx/96xx (GEN6+)
if (version =~ "^6\." && (model =~ "^(NSA|TZ|SOHO|SuperMassive 9[246][0-9][0-9])") ) {
if (version =~ "^6\.1\.")
fix = NULL; # Patch not required.
else if (version =~ "^6\.2\.[0-3]\.")
fix = "6.2.3.2";
else if (version =~ "^6\.2\.4\.")
fix = "6.2.4.4";
else if (version =~ "^6\.2\.5\.")
fix = "6.2.5.4";
else if (version =~ "^6\.2\.6\.")
fix = "6.2.6.2";
else if (version =~ "^6\.2\.7\.")
fix = "6.2.7.5";
else if (version =~ "^6\.2\.9\.")
fix = "6.2.9.3";
else if (version =~ "^6\.5\.0\.")
fix = "6.5.0.4";
else if (version =~ "^6\.5\.1\.")
fix = "6.5.1.5";
else if (version =~ "^6\.5\.2\.")
fix = "6.5.2.4";
else if (version =~ "^6\.5\.3\.")
fix = "6.5.3.4";
else if (version =~ "^6\.5\.4\.")
fix = "6.5.4.4";
}
# SuperMassive 12K, 10K, 9800
if (model =~ "^SuperMassive (1[02]K|9800)") {
if (version =~ "^6\.0\.")
fix = NULL; # Patch not required.
else if (version =~ "^6\.2\.7\.")
fix = "6.2.7.11";
else if (version =~ "^6\.4\.1\.")
fix = "6.4.1.1";
else if (version =~ "^6\.5\.1\.")
fix = "6.5.1.10";
}
if (isnull(fix))
audit(AUDIT_DEVICE_NOT_VULN, "SonicWALL " + model, "SonicOS " + version);
if (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)
{
port = 0;
report =
'\n Device Model : ' + model +
'\n Installed SonicOS version : ' + version +
'\n Fixed SonicOS version : ' + fix +
'\n';
security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
}
else audit(AUDIT_DEVICE_NOT_VULN, "SonicWALL " + model, "SonicOS " + version);
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/sonicwall_SNWLID-2019-0009.nasl - Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\sonicwall_SNWLID-2019-0009.nasl - Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/sonicwall_SNWLID-2019-0009.nasl
Go back to menu.
How to Run
Here is how to run the SonicWall SonicOS Firewall Multiple Management Vulnerabilities (URGENT/11) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select Firewalls plugin family.
- On the right side table select SonicWall SonicOS Firewall Multiple Management Vulnerabilities (URGENT/11) plugin ID 127107.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl sonicwall_SNWLID-2019-0009.nasl -t <IP/HOST>Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a sonicwall_SNWLID-2019-0009.nasl -t <IP/HOST>Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - sonicwall_SNWLID-2019-0009.nasl -t <IP/HOST>Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state sonicwall_SNWLID-2019-0009.nasl -t <IP/HOST>Go back to menu.
References
IAVA | Information Assurance Vulnerability Alert:
- 2019-A-0274-S
- https://www.tenable.com/plugins/nessus/127107
- https://armis.com/urgent11/
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2019-0009
- http://www.nessus.org/u?06406a07
- http://www.nessus.org/u?c7d3d59d
- http://www.nessus.org/u?e1994faf
- https://vulners.com/nessus/SONICWALL_SNWLID-2019-0009.NASL
- 500065 - Siemens (CVE-2019-12255)
- 500279 - Siemens (CVE-2019-12256)
- 500067 - Siemens (CVE-2019-12258)
- 500292 - Siemens (CVE-2019-12260)
- 127108 - Wind River VxWorks Multiple Vulnerabilities (URGENT/11)
- 127109 - Xerox WorkCentre Multiple Vulnerabilities (XRX19-016) (URGENT/11)
- 141474 - SonicWall SonicOS Buffer Overflow Vulnerability
- 27618 - SonicWALL SSL-VPN NetExtender NELaunchCtrl ActiveX Control Multiple Overflows
- 146091 - SonicWall Secure Mobile Access Remote Code Execution (SNWLID-2021-0001)
- 159487 - SonicWall Secure Mobile Access (SMA) SQLi (SNWLID-2021-0017)
- 153807 - SonicWall Secure Mobile Access Arbitrary File Delete (SNWLID-2021-0021)
- 155961 - SonicWall Secure Mobile Access Multiple Vulnerabilities (SNWLID-2021-0026)
- 150720 - SonicWall Secure Remote Access (SRA) Pre-Authentication SQLi (CVE-2019-7481)
- 159486 - SonicWall Secure Remote Access (SRA) SQLi (SNWLID-2021-0017)
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file sonicwall_SNWLID-2019-0009.nasl version 1.6. For more plugins, visit the Nessus Plugin Library.
Go back to menu.
