Security News > 2020 > October > Critical flaw in SonicWall’s firewalls patched, update quickly! (CVE-2020-5135)
Earlier this week SonicWall patched 11 vulnerabilities affecting its Network Security Appliance.
The SonicWall NSAs are next-generation firewall appliances, with a sandbox, an intrusion prevention system, SSL/TLS decryption and inspection capabilities, network-based malware protection, and VPN capabilities.
"The flaw can be triggered by an unauthenticated HTTP request involving a custom protocol handler. The vulnerability exists within the HTTP/HTTPS service used for product management as well as SSL VPN remote access," Tripwire VERT explained.
"SonicWall was contacted by a third-party research team regarding issues related to SonicWall next-generation NSv virtual firewall models that could potentially result in Denial-of-Service attacks and/or cross-site scripting vulnerabilities. Immediately upon discovery, SonicWall researchers conducted extensive testing and code review to confirm the third-party research. This analysis lead to the discovery of 11 unique vulnerabilities requiring Common Vulnerabilities and Exposures listings based on the Common Vulnerability Scoring System," a SonicWall spokesperson told Help Net Security.
"The PSIRT team worked to duplicate the issues and develop, test and release patches for the affected products. At this time, SonicWall is not aware of a vulnerability that has been exploited or that any customer has been impacted."
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/0KUEXbFLvhA/
Related news
- Over 25,000 SonicWall VPN Firewalls exposed to critical flaws (source)
- Palo Alto Networks tackles firewall-busting zero-days with critical patches (source)
- 1000s of Palo Alto Networks firewalls hijacked as miscreants exploit critical hole (source)
- Sophos Issues Hotfixes for Critical Firewall Flaws: Update to Prevent Exploitation (source)
- Sophos Firewall vulnerable to critical remote code execution flaw (source)
- Sophos discloses critical Firewall remote code execution flaw (source)