EX SSL-VPN: An attacker can impersonate a user session without verification of credentials on firmw
03/26/2020 1056 10445
DESCRIPTION: EX SSL-VPN: An attacker can impersonate a user session without verification of credentials on firmware version 10.6.4,10.7.1 or 11.0.0
RESOLUTION: SonicWall notice concerning “User can access the Workplace without any authentication”.
SonicWall Engineering have found a potential security vulnerability that affects E-Class SRA v10.6.4, v10.7.1, and the new Secure Mobile Access v11.0. This design flaw could potentially enable a potential attacker to impersonate any legitimate user and access the network as if they were that user.
It is important to state that there have been no reports that this flaw has been utilized by anyone to compromise an appliance. However, we are taking proactive action to alleviate the possibility of anyone taking advantage of this vulnerability.
SonicWall E-Class SRA Specific Software Version Affected
E-Class Secure Remote Access (Aventail)
E-Class SRA Server Side Software
Software version fix for 10.6.4,10.7.1 and 11.0.0
Versions above are affected and should be patched immediately.
Hotfix links for respective versions could be downloaded with help of below links:
Note: -All these hotfix have been QA tested and released as cumulative fix to include prior addressed issues. -These hotfix are updated under individual released hotfix link for 10.6.4 , 10.7.1 & 11.0.0 too