SonicWall Vulnerability Exploited 

THE THREAT

Exploitation of the recently disclosed critical SonicWall vulnerability CVE-2024-40766 (CVSS:9.3) has now been confirmed. CVE-2024-40766 was disclosed on August 22nd and impacts SOHO (Gen 5), Gen6 Firewalls, and Gen7 Firewalls. Exploitation of the vulnerability would allow threat actors to gain access to unauthorized resources and, in specific conditions, cause the firewall to crash.

On September 6th, SonicWall updated their advisory, adding that, “This vulnerability is potentially being exploited in the wild.” On September 9th, CISA officially added CVE-2024-40766 to the Known Exploited Vulnerabilities catalog. Although CISA has not provided any details around real-world attacks involving the vulnerability, other security vendors have stated that CVE-2024-40766 is being exploited by ransomware groups.

What we’re doing about it

• eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices
• The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities

What you should do about it

• After performing a business impact review, apply the relevant security patches
• If patching is not immediately possible, consider “restricting firewall management to trusted sources or disabling firewall WAN management from Internet access”
• Enable Multi-Factor Authentication (MFA) on all SSLVPN accounts
• SonicWall specifically notes that “customers using GEN5 and GEN6 firewalls with SSLVPN users who have locally managed accounts immediately update their passwords to enhance security and prevent unauthorized access”
  • Administrators must enable the “User must change password” option for all local accounts

Additional information

CVE-2024-40766 is an improper access control vulnerability. While eSentire cannot confirm exploitation leading to ransomware deployment, as of September 8th, eSentire has observed the targeting of SonicWall devices, leading to data exfiltration. Based on the observed incident, it is probable that threat actors exploited CVE-2024-40766. As exploitation has been confirmed, it is critical that organizations apply the relevant security patches or alternative mitigations immediately.

SonicWall vulnerabilities have a history of being targeted by financially motivated threat actor groups. The HelloKitty group leveraged a similar vulnerability in 2021, which was used to launch ransomware attacks against vulnerable SonicWall SMA appliances. The SonicWall vulnerability CVE-2024-40766 fits within a broader trend of threat actors exploiting internet-facing remote access technologies. The critical flaw, coupled with SonicWall’s broad deployment in corporate environments, presents a significant risk for both espionage and financially motivated cybercrime, such as ransomware attacks.

Impacted SonicWall Products:

• SOHO (Gen 5)
  • 5.9.2.14-12o and older versions
• Gen6 Firewalls -SOHOW, TZ 300, TZ 300W, TZ 400, TZ 400W, TZ 500, TZ 500W, TZ 600, NSA 2650, NSA 3600, NSA 3650, NSA 4600, NSA 4650, NSA 5600, NSA 5650, NSA 6600, NSA 6650, SM 9200, SM 9250, SM 9400, SM 9450, SM 9600, SM 9650, TZ 300P, TZ 600P, SOHO 250, SOHO 250W, TZ 350, TZ 350W
  • 6.5.4.14-109n and older versions
• Gen7 Firewalls - TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700,NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700
  • SonicOS build version 7.0.1-5035 and older versions

References:

[1] https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015
[2] https://www.cisa.gov/known-exploited-vulnerabilities-catalog#:~:text=SONICWALL%20%7C%20SONICOS-,CVE%2D2024%2D40766,-SonicWall%20SonicOS%20Improper
[3] https://www.sonicwall.com/support/knowledge-base/how-do-i-configure-2fa-for-ssl-vpn-with-totp/190829123329169
[4] https://www.cisa.gov/news-events/alerts/2021/07/15/ransomware-risk-unpatched-eol-sonicwall-sra-and-sma-8x-products