SonicWall fixes vulnerabilities in its routers
SonicWall has released an update for its SonicOS Enhanced router operating system for the SonicWALL TZ 190, TZ 190 Wireless, TZ 180 and TZ 180 Wireless devices. The firmware update removes two vulnerabilities along with other changes. It prevents attackers from carrying out DNS cache poisoning attacks on its routers and redirecting users to specially crafted web pages, a problem which has been known about since the beginning of July.
The update also solves a problem with the display of the error page that appears when a users tries to access a blocked web page. In certain circumstances, vulnerable firewalls execute attached JavaScript code in the context of the accessed domain. According to The Zero Day Initiative (ZDI), who discovered the hole, the vulnerability could be exploited for more extensive attacks.
See also:
- SonicOS Enhanced 4.0.1.1 Release Notes , document by SonicWall
- SonicWALL Content-Filtering Universal Script Injection Vulnerability, advisory by ZDI
(lghp)