SonicWall ‘Botches’ October Patch for Critical VPN Bug
SonicWall’s patch for a critical VPN bug has turned out to be insufficient in fixing the vulnerability, leaving more than 80,000 devices vulnerable to remote code execution for months. The patch was released in October, however, was ineffective. SonicWall finally released a complete fix this week for the RCE flaw that could result in crashes or prevent users from connecting to corporate resources. The inability of the patch to adequately fix the flaw was discovered by one of the researchers who initially identified the flaw. The company originally patched the stack-based buffer overflow vulnerability in the SonicWall Network Security Appliance in October, however, the patch was botched.
Researcher Craig Young found that the patch needed a one or two-line fix to be complete, stating that although individuals may have installed the fix, they were not protected. Young also asserts that SonicWall was aware of the problem soon after the fix was released back in October, however, it only released a complete patch this week. The vulnerability could allow for an unskilled attacker to trigger a denial-of-service condition using an unauthenticated HTTP request involving a custom protocol handler, according to Young’s original analysis of the flaw.