SonicWall patches critical flaw affecting its firewalls (CVE-2024-40766)
SonicWall has patched a critical vulnerability (CVE-2024-40766) in its next-gen firewalls that could allow remote attackers unauthorized access to resources and, in specific conditions, to crash the appliances.
About CVE-2024-40766
CVE-2024-40766 is an improper access control vulnerability in the “SonicWall SonicOS management access”, the company says.
“This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.”
Security updates fixing the vulnerability are available for all currently supported next-gen firewall models.
“This vulnerability is not reproducible in SonicOS firmware version higher than 7.0.1-5035,” the company noted, but nevertheless advised users to install the latest firmware.
Though upgrading to a fixed version is preferred, there is an alternative, i.e., a workaround to minimize the potential of exploitation: users can restrict firewall management access to trusted sources (e.g., whitelist specific IP addresses) or disable firewall WAN management access from internet sources.
No exploitation detected
SonicWall’s security solutions are widely used and occasionally targeted by attackers seeking a way into corporate networks.
In 2021, researchers discovered that attackers have leveraged zero-day flaws in SonicWall Email Security appliances, as well as a zero-day in the company’s Secure Mobile Access (SMA) 100 series appliances.
There is currently no mention of CVE-2024-40766 being exploited in the wild.
The vulnerability has a 9.3 CVSS v3 base score, and the associated vector string says it’s remotely exploitable with no privileges or user interaction required. Also, the complexity of the attack that would trigger the flaw is considered to be “low”.
SonicWall’s description of this exploitable weakness is, understandably, very superficial, but threat actors might do some patch diffing (to identify the changes to binaries made by SonicWall’s security updates) and thus infer the flaw’s trigger and find a way to create a working exploit.
Admins are advised to implement the security updates as soon as possible.
UPDATE (September 6, 2024, 06:22 a.m. ET):
SonicWall has updated the advisory to say that the vulnerability “is potentially being exploited in the wild.”
The description of the flaw has also been amended to say that it affects SSL-VPN along with the devices’ management access.
UPDATE (September 9, 2024, 09:58 a.m. ET):
“In recent threat activity observed by Arctic Wolf, Akira ransomware affiliates carried out ransomware attacks with an initial access vector involving the compromise of SSLVPN user accounts on SonicWall devices. In each instance, the compromised accounts were local to the devices themselves rather than being integrated with a centralized authentication solution such as Microsoft Active Directory. Additionally, MFA was disabled for all compromised accounts, and the SonicOS firmware on the affected devices were within the versions known to be vulnerable to CVE-2024-40766,” Stefan Hostetler, Senior Threat Intelligence Researcher at Arctic Wolf, has shared.
“Arctic Wolf strongly recommends that organizations running affected SonicWall products upgrade to the latest supported SonicOS firmware versions as soon as possible. Additionally, as recommended by SonicWall, MFA should be enabled for all locally-managed SSLVPN accounts.”