SonicBoom Attack Chain Lets Hackers Bypass Login and Gain Admin Control

Cybersecurity researchers have uncovered a dangerous new exploitation technique, dubbed the “SonicBoom Attack Chain,” which allows hackers to bypass authentication and seize administrative control over SonicWall Secure Mobile Access (SMA) appliances.

This attack leverages a combination of recently disclosed vulnerabilities, which have already been spotted in real-world attacks.

The SonicBoom Attack Chain essentially stitches together two severe vulnerabilities:

- Advertisement -

• CVE-2024-38475: An Apache HTTP Server “Filename Confusion” bug, discovered by Orange Tsai, enabling arbitrary file read before authentication.
• CVE-2023-44221: A post-authentication command injection flaw, discovered by Wenjie Zhong (H4lo), which can grant remote command execution.

In combination, these flaws allow threat actors to first access sensitive system files-such as password and configuration files-using the Apache mod_rewrite flaw, and then leverage the command injection to run arbitrary code with administrative privileges.

How SonicBoom Works

The attack chain exploits intricacies in how the Apache web server processes HTTP requests, specifically abusing the mod_rewrite module’s handling of paths.

Step 1: Arbitrary File Read

The attacker sends a crafted HTTP request to the SMA appliance, exploiting the mod_rewrite vulnerability (CVE-2024-38475).

By inserting a URL-encoded question mark (e.g., %3F) into the request and carefully manipulating the path, the attacker can trick the server into revealing arbitrary files from the filesystem-including potentially sensitive authentication data.

For example, a request like:

GET /portal/../../../../etc/passwd%3F HTTP/1.1

Host: target-sma

may return the contents of the /etc/passwd file, bypassing the intended access controls.

Step 2: Command Injection and Admin Access

After extracting critical information, attackers can use the post-auth command injection vulnerability (CVE-2023-44221) to remotely execute code or escalate privileges.

If configuration or admin credentials were obtained in step one, the system is completely compromised.

Researchers at watchTowr, a threat intelligence firm, demonstrated that these attacks can be performed without any prior authentication, making every unpatched SMA device a susceptible target.

The SonicWave SMA appliance is widely used by organizations globally to secure remote access to critical applications. Its prevalence on network edges makes it a particularly attractive target for cybercriminals.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both CVEs to its Known Exploited Vulnerabilities (KEV) catalog, warning that “immediate action is required to address ongoing exploitation.”

If successfully compromised, attackers could:

• Steal sensitive data and credentials
• Deploy ransomware or malware inside the corporate network
• Pivot to attack other internal resources

SonicWall has issued urgent advisories and patches for affected SMA versions. Administrators are urged to:

• Apply the latest updates to SMA appliances immediately
• Monitor for suspicious activity, including unauthorized logins and file access
• Check for unusual network traffic originating from SMA devices

Organizations unable to patch immediately are advised to take vulnerable appliances offline until mitigations are in place.

The SonicBoom Attack Chain highlights how chaining together “known” vulnerabilities can have devastating consequences, especially on edge devices. As always, prompt patching and layered defenses are the best mitigation.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!