A critical vulnerability in SonicWall VPN appliances that was believed to have been patched last year has been now found to be “botched,” with the company leaving a memory leak flaw unaddressed, until now, that could permit a remote attacker to gain access to sensitive information.
The shortcoming was rectified in an update rolled out to SonicOS on June 22.
Tracked as CVE-2021-20019 (CVSS score: 5.3), the vulnerability is the consequence of a memory leak when sending a specially-crafted unauthenticated HTTP request, culminating in information disclosure.
It’s worth noting that SonicWall’s decision to hold back the patch comes amid multiple zero-day disclosures affecting its remote access VPN and email security products that have been exploited in a series of in-the-wild attacks to deploy backdoors and a new strain of ransomware called FIVEHANDS.
However, there is no evidence that the flaw is being exploited in the wild.
images from Hacker News