Security Advisory: Buffer Overflow in HTTP Request Header Leads to Partial Memory Leak
First Published:06/21/2021
Last Updated:06/22/2021
SonicWall physical and virtual firewalls running certain versions of SonicOS may contain a vulnerability where the HTTP server response leaks partial memory. This can potentially lead to an internal sensitive data disclosure vulnerability.
At this time, there is no indication that the discovered vulnerability is being exploited in the wild.
RESOLUTION
SonicWall strongly advises customers apply the respective SonicOS patch immediately. After reviewing this security advisory, please go to MySonicWall and download the appropriate SonicOS patch release from the table below.
| Platforms | SonicOS Running Version | SonicOS Patch Release (Update to version or later) |
| NSa, TZ (GEN7) | NSa,TZ- 7.0.1-713 and older | 7.0.0-R906 and later, 7.0.1-R1456 |
| NSsp (GEN7) | NSsp- below <7.0.0.376 | 7.0.0.376 and later, 7.0.1-R579 |
| NSv (Virtual: GEN7) | NSsp 7.0.1-R1036 | 7.0.1-R1282/R1283 |
| NSa, TZ, SOHO W, SuperMassive 92xx/94xx/96xx (GEN6+) | 6.5.4.8-83n and older | 6.5.4.8-89n |
| NSsp 12K, SuperMassive 9800 | 6.5.1.12-3n and older | Pending Release |
| SuperMassive 10k | 6.0.5.3-94o and older | Pending Release |
| NSv (Virtual: VMWare/Hyper-V/AWS/Azure/KVM) | SonicOSv - 6.5.4.4-44v-21-955 and older | 6.5.4.4-44v-21-1288 |
For step-by-step guidance on upgrading your SonicOS firmware, please reference “How to Update SonicOS Firmware.”
Additional Resources
- SonicWall PSIRT Advisory - https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0006
- CVE-2021-20019: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20019
