SonicWall ‘Botches’ October Patch for Critical VPN Bug
#1
Information 
Quote:A patch rolled out in October for a critical SonicWall VPN bug turned out to be insufficient to fix the problem, leaving more than 800,000 devices vulnerable to remote code execution (RCE) for months, one of the researchers who identified the flaw has found.
 
SonicWall originally patched the stack-based buffer overflow vulnerability in the SonicWall Network Security Appliance (NSA), tracked as CVE-2020-5135, back in October.
 
However, Craig Young, a computer security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT), said the initial patch for the vulnerability was “botched,” needing a “one- or two-line fix” to be complete, he wrote in a report published Tuesday, which details the specifics of where the fix went wrong.
 
Moreover, though SonicWall was aware of the problem soon after the fix was released, it only released a complete patch this week, Young wrote.
 
“I had expected that a patch would probably come out quickly but, fast-forward to March and I still had not heard back,” he wrote. “I reconnected with their PSIRT [Product Security Incident Response Team] on March 1, 2021, for an update, but ultimately it took until well into June before an advisory could be released.”
 
Young and Nikita Abramov, application analysis specialist at Positive Technologies (PT), were credited back in October with finding the flaw, which exists within the HTTP/HTTPS service used for product management and SSL VPN remote access.
 
The vulnerability could allow an unskilled attacker to trigger a persistent denial-of-service (DoS) condition using an unauthenticated HTTP request involving a custom protocol handler, as well as spread further damage, Young wrote in his analysis at the time.

Read more: SonicWall ‘Botches’ October Patch for Critical VPN Bug | Threatpost
[-] The following 1 user says Thank You to silversurfer for this post:
  • harlan4096
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
GFYI [Official] EaseUS Christmas 2024 B...
Merry Christmas and ...zevish — 08:07
AirVPN Christmas Sale 2024!
AirVPN CHRISTMAS SAL...jasonX — 07:52
ON1 Software
ON1 Photo RAW 2025.1...jasonX — 06:29
QOwnNotes 19.1.6
24.12.4 The wel...Kool — 12:56
INTEL Arc Graphics 32.0.101.6325/6253 dr...
Highlights Fix...harlan4096 — 11:06

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>