On January 7, 2025, SonicWall disclosed an authentication bypass vulnerability (CVE-2024-53704) in SonicOS, affecting multiple SonicWall appliances. This weakness allows unauthenticated attackers to hijack existing SSLVPN sessions, bypassing multi-factor authentication. The flaw primarily affects various Gen7 Firewalls and NSv devices across specific versions. The threat could facilitate unauthorized access to internal networks without prior knowledge of user credentials. Affected: SonicWall appliances, SSLVPN sessions
Keypoints :
- SonicWall announced an authentication bypass vulnerability (CVE-2024-53704) on January 7, 2025.
- The vulnerability affects SonicOS, used in several SonicWall appliances.
- Exploitation allows unauthenticated attackers to bypass SSLVPN authentication.
- Attackers can hijack authenticated SSLVPN sessions without needing passwords or usernames.
- Multi-factor authentication (MFA) can also be bypassed during exploitation.
- No evidence of exploitation in the wild was initially reported by SonicWall.
- Affected devices include various Gen7 Firewalls and NSv models in specific versions listed in the advisory.
- The vulnerability was discovered by researchers from Computest Security and investigated by Bishop Fox.
- Research demonstrated how attackers could brute-force session IDs using the vulnerability.
- Real-world examples of session hijacking scenarios were presented.
MITRE Techniques :
- T1078: Valid Accounts – Exploitation of existing authenticated SSLVPN sessions to gain access.
- T1071: Application Layer Protocol – Usage of HTTP to interact with the vulnerable web API.
- T1203: Exploitation of Client Vulnerabilities – Exploitation of insecure base64 decoding vulnerabilities.
Indicator of Compromise :
- [CVE] CVE-2024-53704
Full Story: https://attackerkb.com/topics/UB3P3xHVAo/cve-2024-53704/rapid7-analysis?referrer=notificationEmail