Cyber Security News

SonicWall Firewalls Exploit Hijack SSL VPN Sessions to Gain Networks Access

SonicWall firewalls running specific versions of SonicOS are vulnerable to a critical authentication bypass flaw, tracked as CVE-2024-53704, which allows attackers to hijack active SSL VPN sessions.

This vulnerability has been classified as high-risk, with a CVSS score of 8.2.

It affects SonicOS versions 7.1.x (up to 7.1.1-7058), 7.1.2-7019, and 8.0.0-8035, used in various Gen 6 and Gen 7 firewall models.

Critical Vulnerability Enables Session Hijacking

Security researchers at Bishop Fox successfully demonstrated the exploit, revealing that an attacker can remotely bypass authentication without requiring credentials.

By sending a specially crafted session cookie containing a base64-encoded string of null bytes to the SSL VPN endpoint (/cgi-bin/sslvpnclient), attackers can assume control of active VPN sessions.

SonicWall Firewalls SonicWall Firewalls
attack path

This grants unauthorized access to sensitive internal resources, including Virtual Office bookmarks and VPN client configurations, and enables the establishment of new VPN tunnels into private networks.

The exploit also forcibly logs out the legitimate user from the session, further disrupting operations.

The vulnerability is particularly concerning because it bypasses even multi-factor authentication (MFA) mechanisms.

Proof-of-Concept (PoC) Released: Urgent Action Required

Bishop Fox released full exploitation details for CVE-2024-53704 after allowing time for system administrators to apply patches.

The public availability of this PoC significantly heightens the risk of exploitation in the wild.

As of February 7, approximately 4,500 internet-facing SonicWall SSL VPN servers remain unpatched.

SonicWall issued its initial advisory on January 7, urging immediate updates to mitigate the vulnerability.

The company has provided firmware patches addressing this flaw in newer versions:

  • Gen 6 Firewalls: SonicOS 6.5.5.1-6n or later
  • Gen 7 Firewalls: SonicOS 7.1.3-7015 or later
  • TZ80 Firewalls: SonicOS 8.0.0-8037 or later

Organizations unable to apply these updates are advised to disable SSL VPN access or restrict it to trusted sources as an interim measure.

The exploit’s simplicity underscores its potential for widespread abuse by threat actors seeking initial network access for espionage or ransomware campaigns.

Once inside, attackers can escalate privileges and conduct lateral movement within compromised networks.

Administrators should take immediate action:

  1. Apply Patches: Update all affected devices to the latest firmware version.
  2. Restrict Access: Limit SSL VPN and SSH management access to trusted IP ranges.
  3. Monitor Logs: Regularly review firewall logs for unusual activity, such as repeated session terminations or unauthorized logins.
  4. Enable MFA: While MFA is bypassed in this exploit, it remains a critical defense against other attacks.

With active exploitation now a significant concern, organizations must prioritize securing their SonicWall firewalls to prevent unauthorized access and potential data breaches.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Lumma Stealer Upgraded with PowerShell Tools and Advanced Evasion Techniques

Sophos Managed Detection and Response (MDR) in September 2024, the notorious Lumma Stealer malware has…

38 minutes ago

New Noodlophile Malware Spreads Through Fake AI Video Generation Platforms

Cybercriminals have unleashed a new malware campaign using fake AI video generation platforms as a…

47 minutes ago

Kimsuky Hacker Group Deploys New Phishing Techniques and Malware Campaigns

The North Korean state-sponsored Advanced Persistent Threat (APT) group Kimsuky, also known as “Black Banshee,”…

54 minutes ago

APT37 Hackers Use Weaponized LNK Files and Dropbox for Command-and-Control Operations

The North Korean state-sponsored hacking group APT37, also known as ScarCruft, launched a spear phishing…

1 hour ago

Open Source Linux Firewall IPFire 2.29 – Core Update 194 Released: What’s New!

IPFire, the powerful open-source firewall, has unveiled its latest release, IPFire 2.29 – Core Update…

5 hours ago

Threat Actors Leverage DDoS Attacks as Smokescreens for Data Theft

Distributed Denial of Service (DDoS) attacks, once seen as crude tools for disruption wielded by…

5 hours ago