SonicWall has warned that a newly fixed serious security hole hitting SonicOS may have come under active exploitation, making it imperative that users implement the updates as soon as possible.
The vulnerability, listed as CVE-2024-40766, receives a CVSS score of 9.3 out of a maximum of 10.
"An improper access control vulnerability has been identified in the SonicWall SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash," SonicWall warned in an updated alert.
With the newest revelation, the business has discovered that CVE-2024-40766 also compromises the firewall's SSLVPN capability. The problem has been addressed in the following versions -
SOHO (Gen 5 Firewalls) - 5.9.2.14-13o Gen 6 Firewalls - 6.5.2.8-2n (for SM9800, NSsp 12400, and NSsp 12800) and 6.5.4.15.116n (for other Gen 6 Firewall appliances)
The network security company has subsequently revised the advisory to reflect the likelihood that it may have been actively exploited.
"This vulnerability is potentially being exploited in the wild," it warned. "Please apply the patch as soon as possible for affected products."
As interim remedies, it's advised to limit firewall control to trustworthy sources or block firewall WAN management from Internet access. For SSLVPN, it's advisable to restrict access to trustworthy sources, or prevent internet access completely.
Additional mitigations include enabling multi-factor authentication (MFA) for all SSLVPN users using one-time passwords (OTPs) and recommending customers using GEN5 and GEN6 firewalls with SSLVPN users who have locally managed accounts to immediately update their passwords for preventing unauthorized access.
There are presently no specifics regarding how the issue may have been leveraged in the open, although Chinese threat actors have, in the past, utilized unpatched SonicWall Secure Mobile Access (SMA) 100 equipment to establish long-term persistence.
Update# Cybersecurity organizations Arctic Wolf and Rapid7 have cautioned that the newly reported major hole hitting SonicWall devices is certainly being actively exploited by ransomware gangs, including Akira.
"Akira ransomware affiliates carried out ransomware attacks with an initial access vector involving the compromise of SSLVPN user accounts on SonicWall devices," Arctic Wolf warned.
"In each case, the compromised accounts were local to the devices themselves rather than being connected with a centralized authentication system such as Microsoft Active Directory. Additionally, MFA was deactivated for all compromised accounts, and the SonicOS firmware on the affected devices were within the versions known to be susceptible to CVE-2024-40766."
Rapid7, for its part, highlighted that "evidence linking CVE-2024-40766 to these incidents is still circumstantial" despite finding ransomware gangs targeting SonicWall SSLVPN accounts in recent instances.
The vulnerability has now been added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) list of known exploited vulnerabilities, forcing government entities to deploy the remedies by September 30, 2024.