SonicWall Firewall Vulnerability Allows VPN Session Hijacking: Urgent Patch Required

February 11, 2025

Bishop Fox security researchers have released a comprehensive report detailing the exploitation of a vulnerability, CVE-2024-53704, in certain versions of SonicWall's SonicOS SSLVPN application. This flaw allows hackers to bypass the authentication process, enabling them to hijack active SSL VPN sessions without needing authentication. SonicWall had previously alerted users to the high exploit potential of this vulnerability in a January 7 bulletin, urging immediate firmware updates for their SonicOS firewalls.

In an email to customers, SonicWall warned, "We have identified a firewall vulnerability that is susceptible to actual exploitation for customers with SSL VPN or SSH management enabled, and that should be mitigated immediately by upgrading to the latest firmware." This vulnerability allows unauthorized network access to a remote attacker by enabling them to hijack active SSL VPN sessions.

On January 22, Bishop Fox researchers confirmed SonicWall's concerns about the exploit potential of the vulnerability. They announced that they had developed an exploit for CVE-2024-53704 following a significant reverse-engineering effort. The full exploitation details were released by Bishop Fox after allowing time for system administrators to apply the available patches.

The exploit involves sending a specially crafted session cookie, containing a base64-encoded string of null bytes, to the SSL VPN authentication endpoint at '/cgi-bin/sslvpnclient.' This triggers an incorrect validation of the session, assuming the request is associated with an active VPN session. This results in the victim being logged out and the attacker gaining access to the session. The attacker can then access the user's Virtual Office bookmarks, obtain VPN client configuration settings, open a VPN tunnel to the internal network, and gain access to private network resources.

The researchers tested the validity of their analysis by creating a proof-of-concept exploit code to simulate an authentication bypass attack. The response headers showed that they had successfully hijacked an active session. The researchers stated, "With that, we were able to identify the username and domain of the hijacked session, along with private routes the user was able to access through the SSL VPN."

The vulnerability affects SonicOS versions 7.1.x (up to 7.1.1-7058), 7.1.2-7019, and 8.0.0-8035. These versions run on various models of Gen 6 and Gen 7 firewalls, as well as SOHO series devices. Fixes are available in SonicOS 8.0.0-8037 and later, 7.0.1-5165 and higher, 7.1.3-7015 and higher, and 6.5.5.1-6n and higher.

As of February 7, Bishop Fox reports that approximately 4,500 internet-exposed SonicWall SSL VPN servers have not applied the security updates fixing CVE-2024-53705. With a working proof-of-concept exploit now publicly available, administrators are urged to apply the updates immediately as the exploitation risk for CVE-2024-53705 has significantly increased.

Related News

• Critical Authentication Bypass Vulnerability in SonicOS: Proof-of-Concept Revealed

Latest News

• PandasAI Vulnerability Allows Full System Compromise Through Prompt Injection
• Fortinet Firewalls Compromised by New Zero-Day Exploit
• Urgent Call to Secure Systems Against Ongoing Attacks Exploiting Microsoft Outlook RCE Vulnerability
• SimpleHelp RMM Vulnerabilities Exploited to Deploy Sliver Malware
• Critical Vulnerabilities in Cisco's Identity Services Engine: A Detailed Analysis