What Happened
On December 3, 2024, SonicWall PSIRT (Product Security Incident Response Team) released a security advisory detailing six vulnerabilities in their SMA 100 Series devices (SMA 200, 210, 400, 410, 500v). The reported vulnerabilities range in severity from Medium (5.3 CVSS) to High (8.1 CVSS) with three of the six having remote code execution potential.
|
CVE ID
|
CVSS
|
Summary
|
|
CVE-2024-53702
|
Medium - 5.3
|
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in the SonicWall SMA100 SSLVPN backup code generator that, in certain cases, can be predicted by an attacker, potentially exposing the generated secret.
|
|
CVE-2024-45319
|
Medium - 6.3
|
A vulnerability in the SonicWall SMA100 SSLVPN allows a remote, authenticated attacker to circumvent the certificate requirement during authentication.
|
|
CVE-2024-38475
|
High - 7.5
|
Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to file system locations that are permitted to be served by the server.
|
|
CVE-2024-40763
|
High - 7.5
|
Heap-based buffer overflow vulnerability in the SonicWall SMA100 SSLVPN due to the use of strcpy. This allows remote authenticated attackers to cause Heap-based buffer overflow and potentially lead to code execution.
|
|
CVE-2024-45318
|
High - 8.1
|
A vulnerability in the SonicWall SMA100 SSLVPN web management interface allows remote attackers to cause Stack-based buffer overflow and potentially lead to code execution without prior authentication.
|
|
CVE-2024-53703
|
High - 8.1
|
A vulnerability in the SonicWall SMA100 SSLVPN mod_httprp library loaded by the Apache web server allows remote attackers to cause Stack-based buffer overflow and potentially lead to code execution without prior authentication.
|
While all of these vulnerabilities are important to be aware of, the last three are the most notable as they can lead to remote code execution. Additionally, the CVEs with potential for remote code execution, two of them have been confirmed to not require any prior authentication (CVE-2024-45318 and CVE-2024-53703).
SonicWall has stated that, “There is no evidence that these vulnerabilities are being exploited in the wild and SonicWall SSL VPN SMA1000 series products are not affected by these vulnerabilities.” However, this can change at any time and with the holidays just around the corner, it’s possible malicious actors may opt to save these vulnerabilities for just the right time, optimizing their impact. Fortunately, SonicWall has addressed all six of these vulnerabilities in a recent patch and is urging users to patch their SMA 100 series devices to 10.2.1.14-75sv and higher versions.
SonicWall has also confirmed that there is no advisable workaround and suggests that patching is the only method to address these vulnerabilities in affected systems.
What That Means
Administrators managing SonicWall SMA 100 series devices should patch immediately. With three vulnerabilities leading to possible remote code execution and two of those not requiring prior authentication, the potential for exploitation is pretty high. Vulnerabilities that require no authentication are more easily targeted and exploited on a mass scale. Due to a lack of authentication requirements, malicious actors are easily able to automate the scanning for and exploitation of unauthenticated remote code execution. It is also more difficult to track such exploits as authentication logs will leave little to no trace of this activity.
Who’s Impacted
The following table and notes have been directly lifted from the SonicWall SNWLID-2024-0018 Advisory
Affected Product(s)
|
Affected Product(s)
|
Affected Versions
|
|
SMA 100 Series
(SMA 200, 210, 400, 410, 500v)
|
10.2.1.13-72sv and earlier versions.
|
How Would I Know and What Should I Do
At this time, SonicWall has not released any indicators of compromise or any details regarding what to look for should you suspect your systems are being targeted.
Without specifics around exploitation, Administrators should be on the lookout for unusual behavior in their environment, especially anything related to any unpatched SMA 100 series devices. This includes, but is not limited to:
- Unusual or unexpected login attempts to the admin portal or SSLVPN
- Unexpected changes to the configuration of SMA devices
- Activity related to SMA backup files
- Unusual commands initiated via the SMA CLI
If you suspect an SMA device has been compromised, you should immediately attempt to contain the incident and establish a scope. In some cases, it may be advisable to disconnect the SMA device, recover from a known-good backup, and apply the latest patches before bringing back online. It is also recommended to rotate any administrator or user account passwords local to the compromised device.
When Will it be Fixed?
Patches are available and have been released by SonicWall.
Fixed Software
|
Fixed Product(s)
|
Fixed Versions
|
|
SMA 100 Series
(SMA 200, 210, 400, 410, 500v)
|
10.2.1.14-75sv and higher versions.
|
How Blumira Can Help
Blumira’s security team actively monitors this issue, and looks for additional ways that we can detect any stage of exploitation of these vulnerabilities.
We offer several pre-configured system reports that allow you to review SonicWall configuration changes, IDP/IPS alerts, VPN connections, andAdministrator login activity.
Additionally, we have several detections to alert you when an Administrator account has logged in, configuration changes have been made, or brute force login activity is identified on your SonicWall device. Note that the detections, SonicWall: Configuration Change and Sonicwall: Administrator Login Allowed are disabled by default and must be manually enabled.
Blumira’s Free SIEM is easy to deploy; IT and security teams can start seeing immediate security value for their organizations.
