Attackers at the moment are focusing on an authentication bypass vulnerability affecting SonicWall firewalls shortly after the discharge of proof-of-concept (PoC) exploit code.
This safety flaw (CVE-2024-53704), tagged by CISA as important severity and located within the SSLVPN authentication mechanism, impacts SonicOS variations 7.1.x (as much as 7.1.1-7058), 7.1.2-7019, and eight.0.0-8035, utilized by a number of fashions of Gen 6 and Gen 7 firewalls and SOHO collection gadgets.
Profitable exploitation allows distant attackers to hijack energetic SSL VPN periods with out authentication, which grants them unauthorized entry to targets’ networks.
SonicWall urged clients to instantly improve their firewalls’ SonicOS firmware to forestall exploitation in an e-mail despatched earlier than disclosing the vulnerability publicly and releasing safety updates on January 7.
The corporate additionally shared mitigation measures for admins who could not instantly safe their gadgets, together with limiting entry to trusted sources and proscribing entry from the Web completely if not wanted.
On Thursday, cybersecurity firm Arctic Wolf stated they began detecting exploitation makes an attempt focusing on this vulnerability in assaults “shortly after the PoC was made public,” confirming SonicWall’s fears concerning the vulnerability’s elevated exploitation potential.
“The launched PoC exploit permits an unauthenticated menace actor to bypass MFA, disclose non-public data, and interrupt operating VPN periods,” Arctic Wolf said.
“Given the benefit of exploitation and accessible menace intelligence, Arctic Wolf strongly recommends upgrading to a hard and fast firmware to handle this vulnerability.”
PoC exploit launched one month after patch
Safety researchers at Bishop Fox revealed a PoC exploit on February 10, roughly one month after patches have been launched.
Bishop Fox added that roughly 4,500 unpatched SonicWall SSL VPN servers have been uncovered on-line based on web scans on February 7.
“Proof-of-Ideas (PoCs) for the SonicOS SSLVPN Authentication Bypass Vulnerability (CVE-2024-53704) at the moment are publicly accessible,” SonicWall warned after the exploit code was launched.
“This considerably will increase the chance of exploitation. Prospects should instantly replace all unpatched firewalls (7.1.x & 8.0.0). If making use of the firmware replace just isn’t potential, disable SSLVPN.”
Prior to now, Akira and Fog ransomware associates have additionally focused SonicWall firewalls. Arctic Wolf warned in October that at the least 30 intrusions began with distant community entry by SonicWall VPN accounts.