January 8, 2025

SonicWall Discloses Multiple Vulnerabilities Including a High Severity Authentication Bypass Flaw

What Happened

On January 7th, SonicWall released a product security advisory detailing several vulnerabilities including a high severity flaw in the SSL-VPN authentication mechanism which could allow a remote attacker to bypass authentication. While this vulnerability is the highlight of the advisory, it comes in alongside three others including another SSL-VPN authentication bypass (CVSS 7.1), a privilege escalation vulnerability (CVSS 7.8), and a server-side request vulnerability (CVSS 6.5).

Additionally, an SSL-VPN MFA Bypass (CVSS 6.5) vulnerability was also disclosed in a separate advisory. This vulnerability is not as high severity as the previously mentioned authentication bypass, but is important to call out due to the heavy reliance on MFA for securing VPN access.

SonicWall states in their advisory that no active exploitation of these vulnerabilities has been reported but that patching immediately is important to prevent exploitation.

CVE ID	CVSS	Summary
CVE-2024-53704	High - 8.2	SonicOS SSL-VPN Authentication Bypass Vulnerability An Improper Authentication vulnerability in the SSL-VPN authentication mechanism allows a remote attacker to bypass authentication.
CVE-2024-53706	High - 7.8	Local Privilege Escalation Vulnerability A vulnerability in the Gen7 SonicOS Cloud platform NSv (AWS and Azure editions only) allows a remote authenticated local low-privileged attacker to elevate privileges to `root` and potentially lead to code execution.
CVE-2024-40762	High - 7.1	Cryptographically Weak Pseudo-Random Number Generator Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in the SonicOS SSL-VPN authentication token generator that, in certain cases, can be predicted by an attacker potentially resulting in authentication bypass.
CVE-2024-53704	Medium - 6.5	Server-Side Request Forgery Vulnerability A Server-Side Request Forgery vulnerability in the SonicOS SSH management interface allows a remote attacker to establish a TCP connection to an IP address on any port when the user is logged in to the firewall.
CVE-2024-12802	Medium - 6.5	SSL-VPN MFA Bypass SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal Name) and SAM (Security Account Manager) account names when integrated with Microsoft Active Directory, allowing MFA to be configured independently for each login method and potentially enabling attackers to bypass MFA by exploiting the alternative account name.

What That Means

Administrators managing virtual or physical SonicWall firewalls should patch immediately. Vulnerabilities affecting these products can allow remote attackers to bypass authentication for SSL-VPN services and allow them direct access to underlying networks.

When operated correctly, a VPN can allow a remote employee access to internal company networks and resources. The benefits of this service are plain to see, however; in the hands of a malicious actor, VPNs are a valuable target specifically due to the network access that they can provide. While logged in to a company VPN, malicious actors will typically begin scanning and scoping out the network to determine their level of access and identify potential targets for lateral movement and exploitation. Some threat actors may opt to start with data exfiltration, downloading any and all data that is accessible to them to later be used for extortion or sold to the highest bidder (or both).

Who’s Impacted

The following list has been directly lifted from the SonicWall Advisory page.

Vulnerabilities

Affected Platforms and Build Versions

CVE-2024-53705

Gen6 Hardware Firewalls -SOHOW, TZ 300, TZ 300W, TZ 400, TZ 400W, TZ 500, TZ 500W, TZ 600, NSA 2650,

NSA 3600, NSA 3650, NSA 4600, NSA 4650, NSA 5600, NSA 5650, NSA 6600, NSA 6650, SM 9200, SM 9250,

SM 9400, SM 9450, SM 9600, SM 9650, TZ 300P, TZ 600P, SOHO 250, SOHO 250W, TZ 350, TZ 350W

6.5.4.15-117n and older versions.

Gen7 Firewalls - TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W,

TZ570P, TZ670, NSa 2700, NSa 3700,NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700

7.0.x (7.0.1-5161 and older versions).

Gen7 NSv - NSv 270, NSv 470, NSv 870

7.0.x (7.0.1-5161 and older versions).

CVE-2024-40762

CVE-2024-53704

CVE-2024-53705

Gen7 Firewalls - TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W,

TZ570P, TZ670, NSa 2700, NSa 3700,NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700

7.1.x (7.1.1-7058 and older versions) and version 7.1.2-7019.

Gen7 NSv - NSv 270, NSv 470, NSv 870

7.1.x (7.1.1-7058 and older versions) and version 7.1.2-7019.

TZ80

Version 8.0.0-8035

CVE-2024-53706

Gen7 Cloud platform NSv - NSv 270, NSv 470, NSv 870 (Only AWS and Azure editions are vulnerable)

7.1.x (7.1.1-7058 and older versions) and version 7.1.2-7019

CVE-2024-12802

Gen6 NSv - NSv10, NSv25, NSv50, NSv100, NSv200, NSv300, NSv400, NSv800, NSv1600

6.5.4.4-44v-21-2457 and older versions

Gen6 Firewalls -SOHOW, TZ 300, TZ 300W, TZ 400, TZ 400W, TZ 500, TZ 500W, TZ 600, NSA 2650,

NSA 3600, NSA 3650, NSA 4600, NSA 4650, NSA 5600, NSA 5650, NSA 6600, NSA 6650, SM 9200, SM 9250,

SM 9400, SM 9450, SM 9600, SM 9650, TZ 300P, TZ 600P, SOHO 250, SOHO 250W, TZ 350, TZ 350W

6.5.4.15-117n and older versions

Gen7 Firewalls - TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670

NSA 2700, NSA 3700,NSA 4700, NSA 5700, NSA 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700

Gen7 NSv - NSV270, NSv470, NSv870 (ESX, KVM, HYPER-V, AWS, Azure)

7.0.1-5161 and older versions

7.1.1-7058 and older versions

7.1.2-7019 and older versions

TZ80

Version 8.0.0-8035

How Would I Know and What Should I Do

At this time, SonicWall has not released any indicators of compromise or any details regarding what to look for to confirm if your systems are being targeted.

Without specifics around exploitation, administrators should be on the lookout for unusual behavior in their environment, especially anything related to any unpatched SonicWall firewalls. This includes, but is not limited to:

Unusual or unexpected login attempts to the admin portal or SSL-VPN
Unexpected changes to the configuration of SonicWall devices

If you suspect your SonicWall firewall has been compromised, you should immediately attempt to contain the incident and establish a scope. In some cases, it may be advisable to disconnect the firewall, recover from a known-good backup, and apply the latest patches before bringing it back online. Also, ensure you rotate any administrator or user account passwords local to the compromised device.

Workarounds

Patching is essential to effectively mitigate exposure to these vulnerabilities. However, if you are unable to patch immediately, a workaround may be available.

If SSL-VPN is not a critical component of regular business operations, temporarily disabling that functionality on your firewall until patches can be applied has been identified as an adequate workaround. Alternatively, refer to the suggestions made by SonicWall in both advisories:

SNWLID-2025-0003

To minimize the potential impact of SSL-VPN vulnerabilities, please ensure that access is limited to trusted sources, or disable SSL-VPN access from the Internet. For more information about disabling firewall SSL-VPN access, see: how-can-i-setup-ssl-vpn.

To minimize the potential impact of an SSH vulnerability, we recommend restricting firewall management to trusted sources or disabling firewall SSH management from Internet access.

For more information about disabling firewall SSH management access, see: how-can-i-restrict-SonicOS-admin-access

SNWLID-2025-0001

To mitigate the SSL-VPN MFA bypass issue in SonicWALL SSL-VPN, modify the LDAP Schema settings to prevent authentication via UPN (User Principal Name). This can be achieved by removing "userPrincipalName" from the "Qualified login name" field in the LDAP configuration.

This configuration can be accessed by navigating to: Device > Users > Settings > Authentication > Configure LDAP > Edit Primary LDAP Server > Schema.2025-01-06 19:21:57

When Will it Be Fixed?

Patches are available now and include the following:

Fixed Platforms	Fixed Versions
Gen6 NSv - NSv10, NSv25, NSv50, NSv100, NSv200, NSv300, NSv400, NSv800, NSv1600	6.5.4.4-44v-21-2472 and higher
Gen6 Firewalls -SOHOW, TZ 300, TZ 300W, TZ 400, TZ 400W, TZ 500, TZ 500W, TZ 600, NSA 2650, NSA 3600, NSA 3650, NSA 4600, NSA 4650, NSA 5600, NSA 5650, NSA 6600, NSA 6650 SM9200, SM 9250, SM 9400, SM 9450, SM 9600, SM 9650 TZ 300P, TZ 600P, SOHO 250, SOHO 250W, TZ 350, TZ 350W	6.5.5.1-6n and higher
Gen7 Firewalls - TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700,NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700 Gen7 NSv - NSV270, NSv470, NSv870 (ESX, KVM, HYPER-V, AWS, Azure)	7.0.1-5165 and higher 7.1.3-7015 and higher
TZ80	8.0.0-8037 and higher

How Blumira Can Help

Blumira’s security team is actively monitoring this issue and exploring methods to detect potential exploitation of these vulnerabilities.

Several detections and reports are available to our customers and may help reveal possible exploitation of these vulnerabilities or post-exploitation activity:

Type	Name
Detection	SonicWall: 5 or More Login Failures in 15 Minutes
Detection (default disabled)	SonicWall: Configuration Change
Detection (default disabled)	Sonicwall: Administrator Login Allowed
Report	Firewall Configuration Change (SonicWall)
Report	IDS/IPS Alerts
Report	VPN Connections
Report	SonicWall: Administrator Login Allowed

Tag(s): Security Alerts

Jake Ouellette

Jake is an Incident Detection Engineer at Blumira, where he contributes to research and design efforts to continuously improve the detection, analysis, and disruption capabilities of the Blumira platform.