SonicWall ‘Botches’ October Patch for Critical VPN Bug

[silversurfer]

A patch rolled out in October for a critical SonicWall VPN bug turned out to be insufficient to fix the problem, leaving more than 800,000 devices vulnerable to remote code execution (RCE) for months, one of the researchers who identified the flaw has found.
 
SonicWall originally patched the stack-based buffer overflow vulnerability in the SonicWall Network Security Appliance (NSA), tracked as CVE-2020-5135, back in October.
 
However, Craig Young, a computer security researcher with Tripwire’s Vulnerability and Exposures Research Team (VERT), said the initial patch for the vulnerability was “botched,” needing a “one- or two-line fix” to be complete, he wrote in a report published Tuesday, which details the specifics of where the fix went wrong.
 
Moreover, though SonicWall was aware of the problem soon after the fix was released, it only released a complete patch this week, Young wrote.
 
“I had expected that a patch would probably come out quickly but, fast-forward to March and I still had not heard back,” he wrote. “I reconnected with their PSIRT [Product Security Incident Response Team] on March 1, 2021, for an update, but ultimately it took until well into June before an advisory could be released.”
 
Young and Nikita Abramov, application analysis specialist at Positive Technologies (PT), were credited back in October with finding the flaw, which exists within the HTTP/HTTPS service used for product management and SSL VPN remote access.
 
The vulnerability could allow an unskilled attacker to trigger a persistent denial-of-service (DoS) condition using an unauthenticated HTTP request involving a custom protocol handler, as well as spread further damage, Young wrote in his analysis at the time.

Read more: SonicWall ‘Botches’ October Patch for Critical VPN Bug | Threatpost