Attackers at the moment are focusing on an authentication bypass vulnerability affecting SonicWall firewalls shortly after the discharge of proof-of-concept (PoC) exploit code.
This safety flaw (CVE-2024-53704), tagged by CISA as essential severity and located within the SSLVPN authentication mechanism, impacts SonicOS variations 7.1.x (as much as 7.1.1-7058), 7.1.2-7019, and eight.0.0-8035, utilized by a number of fashions of Gen 6 and Gen 7 firewalls and SOHO sequence gadgets.
Successful exploitation allows distant attackers to hijack lively SSL VPN periods with out authentication, which grants them unauthorized entry to targets’ networks.
SonicWall urged clients to right away improve their firewalls’ SonicOS firmware to stop exploitation in an e mail despatched earlier than disclosing the vulnerability publicly and releasing safety updates on January 7.
The firm additionally shared mitigation measures for admins who could not instantly safe their gadgets, together with limiting entry to trusted sources and proscribing entry from the Internet fully if not wanted.
On Thursday, cybersecurity firm Arctic Wolf stated they began detecting exploitation makes an attempt focusing on this vulnerability in assaults “shortly after the PoC was made public,” confirming SonicWall’s fears relating to the vulnerability’s elevated exploitation potential.
“The launched PoC exploit permits an unauthenticated risk actor to bypass MFA, disclose non-public info, and interrupt operating VPN periods,” Arctic Wolf acknowledged.
“Given the benefit of exploitation and out there risk intelligence, Arctic Wolf strongly recommends upgrading to a hard and fast firmware to handle this vulnerability.”
PoC exploit launched one month after patch
Security researchers at Bishop Fox revealed a PoC exploit on February 10, roughly one month after patches had been launched.
Bishop Fox added that roughly 4,500 unpatched SonicWall SSL VPN servers had been uncovered on-line in keeping with web scans on February 7.
“Proof-of-Concepts (PoCs) for the SonicOS SSLVPN Authentication Bypass Vulnerability (CVE-2024-53704) at the moment are publicly out there,” SonicWall warned after the exploit code was launched.
“This considerably will increase the chance of exploitation. Customers should instantly replace all unpatched firewalls (7.1.x & 8.0.0). If making use of the firmware replace isn’t doable, disable SSLVPN.”
In the previous, Akira and Fog ransomware associates have additionally focused SonicWall firewalls. Arctic Wolf warned in October that a minimum of 30 intrusions began with distant community entry by SonicWall VPN accounts.