On January 7th, SonicWall released a product security advisory detailing several vulnerabilities including a high severity flaw in the SSL-VPN authentication mechanism which could allow a remote attacker to bypass authentication. While this vulnerability is the highlight of the advisory, it comes in alongside three others including another SSL-VPN authentication bypass (CVSS 7.1), a privilege escalation vulnerability (CVSS 7.8), and a server-side request vulnerability (CVSS 6.5).
Additionally, an SSL-VPN MFA Bypass (CVSS 6.5) vulnerability was also disclosed in a separate advisory. This vulnerability is not as high severity as the previously mentioned authentication bypass, but is important to call out due to the heavy reliance on MFA for securing VPN access.
SonicWall states in their advisory that no active exploitation of these vulnerabilities has been reported but that patching immediately is important to prevent exploitation.
|
CVE ID |
CVSS |
Summary |
|
CVE-2024-53704 |
High - 8.2 |
SonicOS SSL-VPN Authentication Bypass Vulnerability An Improper Authentication vulnerability in the SSL-VPN authentication mechanism allows a remote attacker to bypass authentication. |
|
CVE-2024-53706 |
High - 7.8 |
Local Privilege Escalation Vulnerability A vulnerability in the Gen7 SonicOS Cloud platform NSv (AWS and Azure editions only) allows a remote authenticated local low-privileged attacker to elevate privileges to `root` and potentially lead to code execution. |
|
CVE-2024-40762 |
High - 7.1 |
Cryptographically Weak Pseudo-Random Number Generator Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in the SonicOS SSL-VPN authentication token generator that, in certain cases, can be predicted by an attacker potentially resulting in authentication bypass. |
|
CVE-2024-53704 |
Medium - 6.5 |
Server-Side Request Forgery Vulnerability A Server-Side Request Forgery vulnerability in the SonicOS SSH management interface allows a remote attacker to establish a TCP connection to an IP address on any port when the user is logged in to the firewall. |
|
CVE-2024-12802 |
Medium - 6.5 |
SSL-VPN MFA Bypass SSL-VPN MFA Bypass in SonicWALL SSL-VPN can arise in specific cases due to the separate handling of UPN (User Principal Name) and SAM (Security Account Manager) account names when integrated with Microsoft Active Directory, allowing MFA to be configured independently for each login method and potentially enabling attackers to bypass MFA by exploiting the alternative account name. |
Administrators managing virtual or physical SonicWall firewalls should patch immediately. Vulnerabilities affecting these products can allow remote attackers to bypass authentication for SSL-VPN services and allow them direct access to underlying networks.
When operated correctly, a VPN can allow a remote employee access to internal company networks and resources. The benefits of this service are plain to see, however; in the hands of a malicious actor, VPNs are a valuable target specifically due to the network access that they can provide. While logged in to a company VPN, malicious actors will typically begin scanning and scoping out the network to determine their level of access and identify potential targets for lateral movement and exploitation. Some threat actors may opt to start with data exfiltration, downloading any and all data that is accessible to them to later be used for extortion or sold to the highest bidder (or both).
The following list has been directly lifted from the SonicWall Advisory page.
|
Vulnerabilities |
Affected Platforms and Build Versions |
CVE-2024-53705 |
Gen6 Hardware Firewalls -SOHOW, TZ 300, TZ 300W, TZ 400, TZ 400W, TZ 500, TZ 500W, TZ 600, NSA 2650, NSA 3600, NSA 3650, NSA 4600, NSA 4650, NSA 5600, NSA 5650, NSA 6600, NSA 6650, SM 9200, SM 9250, SM 9400, SM 9450, SM 9600, SM 9650, TZ 300P, TZ 600P, SOHO 250, SOHO 250W, TZ 350, TZ 350W 6.5.4.15-117n and older versions. |
|
Gen7 Firewalls - TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700,NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700 7.0.x (7.0.1-5161 and older versions). |
|
|
Gen7 NSv - NSv 270, NSv 470, NSv 870 7.0.x (7.0.1-5161 and older versions). |
|
CVE-2024-40762 CVE-2024-53704 CVE-2024-53705 |
Gen7 Firewalls - TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700,NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700 7.1.x (7.1.1-7058 and older versions) and version 7.1.2-7019. |
|
Gen7 NSv - NSv 270, NSv 470, NSv 870 7.1.x (7.1.1-7058 and older versions) and version 7.1.2-7019. |
|
|
TZ80 Version 8.0.0-8035 |
|
CVE-2024-53706 |
Gen7 Cloud platform NSv - NSv 270, NSv 470, NSv 870 (Only AWS and Azure editions are vulnerable) 7.1.x (7.1.1-7058 and older versions) and version 7.1.2-7019 |
CVE-2024-12802 |
Gen6 NSv - NSv10, NSv25, NSv50, NSv100, NSv200, NSv300, NSv400, NSv800, NSv1600 6.5.4.4-44v-21-2457 and older versions |
|
Gen6 Firewalls -SOHOW, TZ 300, TZ 300W, TZ 400, TZ 400W, TZ 500, TZ 500W, TZ 600, NSA 2650, NSA 3600, NSA 3650, NSA 4600, NSA 4650, NSA 5600, NSA 5650, NSA 6600, NSA 6650, SM 9200, SM 9250, SM 9400, SM 9450, SM 9600, SM 9650, TZ 300P, TZ 600P, SOHO 250, SOHO 250W, TZ 350, TZ 350W 6.5.4.15-117n and older versions |
|
|
Gen7 Firewalls - TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670 NSA 2700, NSA 3700,NSA 4700, NSA 5700, NSA 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700 Gen7 NSv - NSV270, NSv470, NSv870 (ESX, KVM, HYPER-V, AWS, Azure) 7.0.1-5161 and older versions 7.1.1-7058 and older versions 7.1.2-7019 and older versions |
|
|
TZ80 Version 8.0.0-8035 |
At this time, SonicWall has not released any indicators of compromise or any details regarding what to look for to confirm if your systems are being targeted.
Without specifics around exploitation, administrators should be on the lookout for unusual behavior in their environment, especially anything related to any unpatched SonicWall firewalls. This includes, but is not limited to:
If you suspect your SonicWall firewall has been compromised, you should immediately attempt to contain the incident and establish a scope. In some cases, it may be advisable to disconnect the firewall, recover from a known-good backup, and apply the latest patches before bringing it back online. Also, ensure you rotate any administrator or user account passwords local to the compromised device.
Patching is essential to effectively mitigate exposure to these vulnerabilities. However, if you are unable to patch immediately, a workaround may be available.
If SSL-VPN is not a critical component of regular business operations, temporarily disabling that functionality on your firewall until patches can be applied has been identified as an adequate workaround. Alternatively, refer to the suggestions made by SonicWall in both advisories:
To minimize the potential impact of SSL-VPN vulnerabilities, please ensure that access is limited to trusted sources, or disable SSL-VPN access from the Internet. For more information about disabling firewall SSL-VPN access, see: how-can-i-setup-ssl-vpn.
To minimize the potential impact of an SSH vulnerability, we recommend restricting firewall management to trusted sources or disabling firewall SSH management from Internet access.
For more information about disabling firewall SSH management access, see: how-can-i-restrict-SonicOS-admin-access
To mitigate the SSL-VPN MFA bypass issue in SonicWALL SSL-VPN, modify the LDAP Schema settings to prevent authentication via UPN (User Principal Name). This can be achieved by removing "userPrincipalName" from the "Qualified login name" field in the LDAP configuration.
This configuration can be accessed by navigating to: Device > Users > Settings > Authentication > Configure LDAP > Edit Primary LDAP Server > Schema.2025-01-06 19:21:57
Patches are available now and include the following:
|
Fixed Platforms |
Fixed Versions |
|
Gen6 NSv - NSv10, NSv25, NSv50, NSv100, NSv200, NSv300, NSv400, NSv800, NSv1600 |
6.5.4.4-44v-21-2472 and higher |
|
Gen6 Firewalls -SOHOW, TZ 300, TZ 300W, TZ 400, TZ 400W, TZ 500, TZ 500W, TZ 600, NSA 2650, NSA 3600, NSA 3650, NSA 4600, NSA 4650, NSA 5600, NSA 5650, NSA 6600, NSA 6650 SM9200, SM 9250, SM 9400, SM 9450, SM 9600, SM 9650 TZ 300P, TZ 600P, SOHO 250, SOHO 250W, TZ 350, TZ 350W |
6.5.5.1-6n and higher |
|
Gen7 Firewalls - TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700,NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700 Gen7 NSv - NSV270, NSv470, NSv870 (ESX, KVM, HYPER-V, AWS, Azure) |
7.0.1-5165 and higher 7.1.3-7015 and higher |
|
TZ80 |
8.0.0-8037 and higher |
Blumira’s security team is actively monitoring this issue and exploring methods to detect potential exploitation of these vulnerabilities.
Several detections and reports are available to our customers and may help reveal possible exploitation of these vulnerabilities or post-exploitation activity:
|
Type |
Name |
|
Detection |
SonicWall: 5 or More Login Failures in 15 Minutes |
|
Detection (default disabled) |
SonicWall: Configuration Change |
|
Detection (default disabled) |
Sonicwall: Administrator Login Allowed |
|
Report |
Firewall Configuration Change (SonicWall) |
|
Report |
IDS/IPS Alerts |
|
Report |
VPN Connections |
|
Report |
SonicWall: Administrator Login Allowed |