Links
Sonicwall VPN Client Advisory
GSA Reference Number: AD071211-01
Simply Put: A notice has been sent out on a vulnerability in the SonicWALL Global VPN Client. This client is used on computers outside the organization, such as home PCs and laptops, to connect back to the corporate network. This is not a vulnerability affecting the firewall. If a user downloads a new configuration file it could be used to run arbitrary code on the machine. This file would have to be downloaded from a malicious website or received in an email from an attacker. The likelihood a user would download this type of file is low, but not impossible. Gladiator recommends installing the new version of the application on each laptop or home PC needing VPN access. This product only affects users with SonicWALL Firewalls. See below for technical details.
Products Affected:
- SonicWALL Global VPN Client 3.x
- SonicWALL Global VPN Client 4.x
Advisory Details: If a malicious configuration file is imported into a vulnerable client it results in the exploit of arbitrary code. Users would have to be tricked into downloading the configuration file from the web and importing into their client. SonicWALL has issued a new version of their VPN client to resolve this issue. Update all clients to version 4.0.0.830.
Gladiator Customer Notes: The client referenced above can be downloaded from the Gladiator Vault Announcements Page. Software vulnerable to this bug resides outside of the enterprise environment and as such is outside the scope of Gladiator monitoring services. If you have any questions, please contact the Gladiator Security Operations Center at 678.461.4620 or soc@gladtech.net.
Reference Links:
You can download the update from the mysonicwall.com website. Your SonicWALL has to be registered and you need a current maintenance subscription.