SonicWall issues another fix for botched VPN patch

How to use a VPN
(Image credit: Shutterstock)

SonicWall has been forced to issue another patch to fix a vulnerability that was originally reported in September 2020 and affected over 800,000 SonicWall VPNs.

Originally tagged and treated as CVE-2020-5135, the issue was identified as a critical stack-based Buffer Overflow vulnerability that reportedly could be exploited by remote attackers to execute arbitrary code on the impacted devices, or cause Denial of Service (DoS).

Cybersecurity solutions provider SonicWall released a fix to patch the vulnerability in October 2020. However, as it turns out, the fix wasn’t properly coded and in fact caused a memory dump issue causing SonicWall to get back to the drawing board to address the issue, which has now been fixed.

Craig Young, security researcher at TripWire, who was co-credited along with Nikita Abramov of Positive Technologies, as the discoverer for the CVE-2020-5135 vulnerability, has published a detailed account of his interactions with SonicWall for fixing the “botched fix.”

Better late than never

Young shares that he noticed that something was amiss with the October patch for CVE-2020-5135 and alerted SonicWall on October 6.

“On October 9, SonicWall confirmed my expectation that this was the result of an improper fix for CVE-2020-5135 and told me that the patched firmware versions had already started to become available on mysonicwall.com as well as via Azure,” writes Young.

He claims that although SonicWall had shared an advisory for the patched fix, now tracked as CVE-2021-20019 back in October 2020 itself, it wasn’t until several months later in June 2021 that the advisory was made public and the fix pushed to customers.

In a statement, SonicWall told us, "SonicWall is active in collaborating with third-party researchers, security vendors and forensic analysis firms to ensure its products meet or exceed expected security standards. Through the course of this practice, SonicWall was made aware of, verified, tested and patched a non-critical buffer overflow vulnerability that impacted versions of SonicOS. SonicWall is not aware of this vulnerability being exploited in the wild. As always, SonicWall strongly encourages organizations maintain patch diligence for all security products."

  • We've also put together a list of the best VPN solutions available

Via Bleeping Computer

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.