Recently, our company received a notification from the "China National Vulnerability Database" that Sangfor SSL VPN may have a potential injection vulnerability. This vulnerability exists in some previous versions of Sangfor's product. Attackers can use the vulnerability to gain control of SSL VPN devices. Sangfor has released the patch for this vulnerability and started the repair work simultaneously.
Versions and Fix
The scope of the vulnerability is Sangfor SSL VPN 7.6.7 and below, and newer version will not be affected. The vulnerabilities problem mentioned above can be solved by upgrading SSL VPN 7.6.7 to a newer version or installing the latest security patch package. At the same time, for customers who have turned on the "Allow Automatic Updates" function, the product has been automatically fixed online. For customers who have not turned on this function, the products need to be fixed manually.
Attackers can use this vulnerability to construct malicious requests to gain control of SSL VPN devices.
There is an injection vulnerability in the URL parameter in an interface of the SSL VPN, through which an attacker can implant a webshell.
Precautions & Measures
- Modify the administrator password regularly to control the complexity level of the password. It is recommended to include at least three combinations of uppercase, lowercase, special characters, and numbers.
- Please make sure that the Internet-facing console access permission of the current product is turned off. If you need to perform remote operation and maintenance, you can use an SSL VPN or other methods to access the intranet first.
- Set a whitelist restriction for the login IP address to the current product console, only offer console access to the IP address of the operation and maintenance personnel.
- Close the non-essential open ports of the current product, such as remote maintenance ports and SSH ports.
Current Version Product Obtain Method
Call Sangfor's vulnerability repair hotline +60 12711 7129 or contact local service personnel to obtain the patch tools or gain assistance in upgrading.
Source of vulnerability
Chinese National Vulnerability Database (CNVD)
Sangfor Security Emergency Response External Service
Any software/patch you download from Sangfor's service page is the copyrighted work of Sangfor and/or its suppliers. Without Sangfor's permission, you may not disclose relevant information to other third parties, and except for service purposes, you may not further repair, modify , distribute, publish, license, transfer, sell the software/patch, try to extract its source code through decompilation or otherwise attempt to extract any or all of the source code. This document does not promise any express, implied and statutory guarantees, including , but not limited to, warranties of merchantability, non-infringement, or fitness for a particular purpose. Under any circumstances, Sangfor Technology Co., Ltd. or its directly or indirectly controlled subsidiaries shall not be liable for any losses, including direct, indirect, incidental,inevitable loss of business profits or special losses. You shall bear all legal responsibilities arising from your use of this document in any way. Sangfor can modify or update the content and information of this document at any time.
First Release: 2020-12-28 V1.0