Recently, our company received a notification from the "China National Vulnerability Database" that Sangfor SSL VPN may have a potential injection vulnerability. This vulnerability exists in some previous versions of Sangfor's product. Attackers can use the vulnerability to gain control of SSL VPN devices. Sangfor has released the patch for this vulnerability and started the repair work simultaneously.
Versions and Fix
The scope of the vulnerability is Sangfor SSL VPN 7.6.7 and below, and newer version will not be affected. The vulnerabilities problem mentioned above can be solved by upgrading SSL VPN 7.6.7 to a newer version or installing the latest security patch package. At the same time, for customers who have turned on the "Allow Automatic Updates" function, the product has been automatically fixed online. For customers who have not turned on this function, the products need to be fixed manually.
Attackers can use this vulnerability to construct malicious requests to gain control of SSL VPN devices.
There is an injection vulnerability in the URL parameter in an interface of the SSL VPN, through which an attacker can implant a webshell.
Precautions & Measures
Current Version Product Obtain Method
Call Sangfor's vulnerability repair hotline +60 12711 7129 or contact local service personnel to obtain the patch tools or gain assistance in upgrading.
Source of vulnerability
Chinese National Vulnerability Database (CNVD)
Sangfor Security Emergency Response External Service
Any software/patch you download from Sangfor's service page is the copyrighted work of Sangfor and/or its suppliers. Without Sangfor's permission, you may not disclose relevant information to other third parties, and except for service purposes, you may not further repair, modify , distribute, publish, license, transfer, sell the software/patch, try to extract its source code through decompilation or otherwise attempt to extract any or all of the source code. This document does not promise any express, implied and statutory guarantees, including , but not limited to, warranties of merchantability, non-infringement, or fitness for a particular purpose. Under any circumstances, Sangfor Technology Co., Ltd. or its directly or indirectly controlled subsidiaries shall not be liable for any losses, including direct, indirect, incidental,inevitable loss of business profits or special losses. You shall bear all legal responsibilities arising from your use of this document in any way. Sangfor can modify or update the content and information of this document at any time.
First Release: 2020-12-28 V1.0