Security News > 2020 > October > Critical SonicWall VPN Portal Bug Allows DoS, Worming RCE
2020-10-14 18:43
UPDATE. A critical security bug in the SonicWall VPN portal can be used to crash the device and prevent users from connecting to corporate resources.
"The most notable aspect of this vulnerability is that the VPN portal can be exploited without knowing a username or password," Young told Threatpost.
SonicWall has issued a patch; SSL VPN portals may be disconnected from the internet as a temporary mitigation before the patch is applied.
CVE-2020-5142 allows an unauthenticated attacker to inject JavaScript code in the firewall SSL-VPN portal.
Several vulnerabilities open a path to DoS attacks and can be used even by an unauthenticated attacker.
News URL
https://threatpost.com/critical-sonicwall-vpn-bug/160108/
Related news
- Over 25,000 SonicWall VPN Firewalls exposed to critical flaws (source)
- Critical Flaws in Ollama AI Framework Could Enable DoS, Model Theft, and Poisoning (source)
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- HPE warns of critical RCE flaws in Aruba Networking access points (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- D-Link urges users to retire VPN routers impacted by unfixed RCE flaw (source)
- Hackers exploit critical bug in Array Networks SSL VPN products (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-10-12 | CVE-2020-5142 | Cross-site Scripting vulnerability in Sonicwall Sonicos and Sonicosv A stored cross-site scripting (XSS) vulnerability exists in the SonicOS SSLVPN web interface. | 6.1 |