Ethical Hacking News
A critical vulnerability in SonicWall firewalls has been exploited by attackers shortly after a proof-of-concept exploit was released, emphasizing the need for immediate action from network administrators to update their systems and strengthen their defenses against such threats.
SonicWall has faced a critical authentication bypass vulnerability (CVE-2024-53704) in its SonicOS operating system, which can be exploited by attackers to hijack active SSL VPN sessions without needing authentication. The vulnerability affects SonicOS versions 7.1.x up to 7.1.1-7058, 7.1.2-7019, and 8.0.0-8035, which are used by various Gen 6 and Gen 7 firewalls and SOHO series devices. SonicWall has urged its customers to upgrade their firewalls' firmware to prevent exploitation and provided mitigation measures for network administrators who cannot perform the necessary upgrades immediately. Cybersecurity firm Arctic Wolf has confirmed attempts at exploiting this vulnerability in attacks shortly after the proof-of-concept (PoC) exploit was made public. A recent incident showed approximately 4,500 unpatched SonicWall SSL VPN servers were exposed online, highlighting the importance of staying updated on security patches for network equipment like SonicWall firewalls.
SonicWall, a prominent manufacturer of network security solutions, has recently faced a significant challenge due to an authentication bypass vulnerability that has been exploited by attackers. The vulnerability, tagged as critical severity and identified by the Cybersecurity and Infrastructure Security Agency (CISA) as CVE-2024-53704, affects SonicOS versions 7.1.x up to 7.1.1-7058, 7.1.2-7019, and 8.0.0-8035.
These versions of the SonicOS operating system are used by a variety of Gen 6 and Gen 7 firewalls as well as SOHO series devices. The vulnerability in question is located within the SSLVPN authentication mechanism, which poses an alarming threat to the security of networks that utilize these products. Attackers can exploit this vulnerability to hijack active SSL VPN sessions without needing authentication, effectively granting them unauthorized access to targeted networks.
SonicWall has issued an urgent warning to its customers, urging them to upgrade their firewalls' SonicOS firmware to prevent exploitation by these malicious actors. The company also provided mitigation measures for network administrators who are unable to perform the necessary upgrades immediately, including limiting access to trusted sources and restricting access from the Internet entirely if not required.
Cybersecurity firm Arctic Wolf has confirmed that they have started detecting attempts at exploiting this vulnerability in attacks "shortly after the proof-of-concept (PoC) exploit was made public." The PoC exploit allows an unauthenticated threat actor to bypass multi-factor authentication, disclose private information, and interrupt running VPN sessions. Arctic Wolf strongly advises its clients to upgrade their firewalls to fixed firmware to address this vulnerability.
A recent incident involving security researchers at Bishop Fox has provided further insight into the potential scale of the problem. The researchers published a PoC exploit for the SonicOS SSLVPN Authentication Bypass Vulnerability on February 10, roughly one month after patches were released. As a result, approximately 4,500 unpatched SonicWall SSL VPN servers were found to be exposed online according to internet scans conducted on February 7.
SonicWall warned its customers about the vulnerability soon after the exploit code was made public and issued the following statement: "Proof-of-Concepts (PoCs) for the SonicOS SSLVPN Authentication Bypass Vulnerability (CVE-2024-53704) are now publicly available. This significantly increases the risk of exploitation. Customers must immediately update all unpatched firewalls (7.1.x & 8.0.0). If applying the firmware update is not possible, disable SSLVPN."
This vulnerability has previously been targeted by Akira and Fog ransomware affiliates in past attacks against SonicWall firewalls. Arctic Wolf warned in October that at least 30 intrusions started with remote network access through SonicWall VPN accounts.
In conclusion, this recent incident highlights the importance of staying updated on security patches for network equipment like SonicWall firewalls. Network administrators must act quickly to apply the necessary updates and implement additional security measures to protect their networks from such vulnerabilities.
Related Information:
https://www.bleepingcomputer.com/news/security/sonicwall-firewall-bug-leveraged-in-attacks-after-poc-exploit-release/
https://www.securityweek.com/sonicwall-firewall-vulnerability-exploited-after-poc-publication/
https://nvd.nist.gov/vuln/detail/CVE-2024-53704
https://www.cvedetails.com/cve/CVE-2024-53704/
Published: Fri Feb 14 13:12:16 2025 by llama3.2 3B Q4_K_M
