Attackers are actually focusing on an authentication bypass vulnerability affecting SonicWall firewalls shortly after the discharge of proof-of-concept (PoC) exploit code.
This safety flaw (CVE-2024-53704), tagged by CISA as important severity and located within the SSLVPN authentication mechanism, impacts SonicOS variations 7.1.x (as much as 7.1.1-7058), 7.1.2-7019, and eight.0.0-8035, utilized by a number of fashions of Gen 6 and Gen 7 firewalls and SOHO sequence gadgets.
Profitable exploitation allows distant attackers to hijack energetic SSL VPN classes with out authentication, which grants them unauthorized entry to targets’ networks.
SonicWall urged prospects to right away improve their firewalls’ SonicOS firmware to stop exploitation in an electronic mail despatched earlier than disclosing the vulnerability publicly and releasing safety updates on January 7.
The corporate additionally shared mitigation measures for admins who could not instantly safe their gadgets, together with limiting entry to trusted sources and proscribing entry from the Web totally if not wanted.
On Thursday, cybersecurity firm Arctic Wolf stated they began detecting exploitation makes an attempt focusing on this vulnerability in assaults “shortly after the PoC was made public,” confirming SonicWall’s fears concerning the vulnerability’s elevated exploitation potential.
“The launched PoC exploit permits an unauthenticated risk actor to bypass MFA, disclose personal info, and interrupt operating VPN classes,” Arctic Wolf acknowledged.
“Given the convenience of exploitation and out there risk intelligence, Arctic Wolf strongly recommends upgrading to a set firmware to handle this vulnerability.”
PoC exploit launched one month after patch
Safety researchers at Bishop Fox revealed a PoC exploit on February 10, roughly one month after patches had been launched.
Bishop Fox added that roughly 4,500 unpatched SonicWall SSL VPN servers had been uncovered on-line in line with web scans on February 7.
“Proof-of-Ideas (PoCs) for the SonicOS SSLVPN Authentication Bypass Vulnerability (CVE-2024-53704) are actually publicly out there,” SonicWall warned after the exploit code was launched.
“This considerably will increase the chance of exploitation. Prospects should instantly replace all unpatched firewalls (7.1.x & 8.0.0). If making use of the firmware replace just isn’t attainable, disable SSLVPN.”
Prior to now, Akira and Fog ransomware associates have additionally focused SonicWall firewalls. Arctic Wolf warned in October that at the least 30 intrusions began with distant community entry by means of SonicWall VPN accounts.
