www.belgium.be Logo of the federal government

WARNING: CRITICAL IMPROPER ACCESS CONTROL VULNERABILITY IN SONICOS PRODUCTS, PATCH IMMEDIATELY!

Reference: 
Advisory #2024-212
Version: 
1.1
Affected software: 
SOHO (Gen 5) 5.9.2.14-12o and older versions
Gen6 Firewalls -SOHOW, TZ 300, TZ 300W, TZ 400, TZ 400W, TZ 500, TZ 500W, TZ 600, NSA 2650, NSA 3600, NSA 3650, NSA 4600, NSA 4650, NSA 5600, NSA 5650, NSA 6600, NSA 6650, SM 9200, SM 9250, SM 9400, SM 9450, SM 9600, SM 9650, TZ 300P, TZ 600P, SOHO 250,
Gen7 Firewalls - TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700,NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700 SonicOS build version 7.0.1-5035 and older versions
Type: 
Improper Access Control Vulnerability
CVE/CVSS: 

CVE-2024-40766 / CVSS 9.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L)

Sources

SonicWall: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015

Risks

The vulnerability can allow an attacker to gain unauthorized access to resources of the firewall and in some cases cause it to crash. It has a high impact on confidentiality and in some cases can have an impact on the availability of the firewall. The attack can happen remotely.

Threat actors have been observed in the past targeting SonicWall appliances with malware that persists through firmware upgrades. Given the criticality of this appliances and the fact that these types of devices are often targeted by threat actors, it is highly advised to patch this vulnerability.

The vulnerability has been reported as actively exploited in the wild! Update your systems immediately!

Description

SonicWall has disclosed a critical improper access control vulnerability in SonicOS, the operating system for their firewall products.

The vulnerability affects SonicWall Firewall Gen 5, Gen 6 and Gen 7 devices for which updates are available.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://ccb.belgium.be/en/cert/report-incident

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

Bleeping Computer: https://www.bleepingcomputer.com/news/security/sonicwall-warns-of-critical-access-control-flaw-in-sonicos