Table of Contents
Despite having been patched last year, SonicWall VPN appliances have now been found to contain a critical vulnerability, resulting in an unrecognized memory leak flaw that could allow a remote attacker to access sensitive information. SonicOS patched this shortcoming on June 22. It is categorized as a critical vulnerability.
Vulnerability CVE-2021-20019 (CVSS score: 5.3) is due to a memory leak resulting from unauthenticated HTTP requests sent in specially crafted ways, resulting in information disclosure.
Why did SonicWall delay launching the patch?
In addition, SonicWall’s choice to hold back the patch comes amid recent zero-day disclosures affecting its remote access VPN and email security products. FIVEHANDS ransomware has been exploited in live attacks to deploy backdoors and backdoors. There has been no indication, however, that the flaw has been exploited.
In an advisory published Tuesday, SonicWall noted that certain versions of SonicOS running on specific SonicWall firewalls contain a vulnerability that allows partial memory leaks via HTTP server responses. “There may be a vulnerability that allows sensitive information to be exposed internally.” A buffer overflow vulnerability in SonicOS (CVSS ratings: 9.4) allowed a remote attacker to cause a denial-of-service (DoS) and potentially execute arbitrary code by sending malicious communications through the SonicOS firewalls as a result of an improper fix for SonicWall’s October 2020 patch, Tripwire uncovered a memory leak.
The previous fix was not good enough
In October 2020, SonicWall issued a patch to fix CVE-2020-5135. However, more testing performed by cybersecurity firm Tripwire found a memory leak caused by an improper fix, explains security researcher Craig Young, who notified SonicWall on October 6, 2020.
Young noted in a write-up on Tuesday:
“As a one- or two-line fix with minimal impact, I had expected that a patch would probably come out quickly but, fast-forward to March, and I still had not heard back, I reconnected with their PSIRT on March 1, 2021 for an update, but ultimately it took until well into June before an advisory could be released.”