Gladiator Research and Security - » SonicWALL SSL-VPN 200 Patch Released

Links

Other Posts: June Microsoft Patch Tuesday; Adobe Releases Patch for Critical Acrobat Vulnerability

SonicWALL SSL-VPN 200 Patch Released

Posted on June 2nd, 2009 by Ryan Spanier

GSA Reference Number: AD090602-01

Simply Put: SonicWALL has released a patch for an internal memory disclosure vulnerability in its SSL-VPN products. Note, this is not a vulnerability with its firewall or unified threat management products, just the stand-alone SSL VPN devices. The vulnerability allows an unauthenticated attacker to manipulate the portal login page to read parts of internal memory. This vulnerability could lead to information disclosure.

Vulnerability Details: From SonicWALL: “On the portal login page, this vulnerability allows remote attackers to execute format string specifiers on the remote appliance as an unauthenticated user. Using particular format string specifiers, it is possible to read internal memory remotely, potentially revealing sensitive information. The vulnerability impacts all portals running firmware from v2.1 up to and including v3.0.0.8.”

Countermeasures: Gladiator recommends users upgrade to the newest firmware, version 3.0.0.9. The firmware can be acquired from SonicWALL’s website at www.mysonicwall.com. Gladiator clients can contact the Security Operations Center at 877-GLADHELP with questions or to request assistance.

Reference Links:

Security Focus Bugrack Entry (http://www.securityfocus.com/archive/1/503913)
Security Focus Vulnerability Entry (http://www.securityfocus.com/bid/35145/info)
SonicWALL Homepage (http://www.sonicwall.com)
MySonicWALL website (http://www.mysonicwall.com)

Tags: Patch, Sonicwall

Reader Comments

Sorry, comments are closed.