Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label firewall exploits. Show all posts
VPN
Bishop Fox cyber threat Cyberattacks Cybersecurity firewall exploits Hijacking SonicWall VPN

Urgent Patch Needed for SonicWall Firewall Exploit Enabling VPN Hijacking

 


Bishop Fox cybersecurity researchers have discovered a critical security flaw in approximately 4,500 SonicWall firewalls that are exposed to the Internet as a result of a critical security breach. The flaw, CVE-2024-53704, is a high-severity authentication bypass vulnerability within SonicOS SSLVPN. Threat actors could exploit this flaw to gain unauthorized access to your VPN sessions, compromising the privacy of your sensitive data and the security of your network. 

SonicWall has issued a patch to address this issue, but unpatched systems remain at immediate risk. Due to this discovery, it is imperative that organizations relying on SonicWall firewalls immediately update those firewalls to mitigate the threat of cyberattacks leveraging this exploit and mitigate the amount of damage they will incur.

In its security bulletin dated January 7, 2025, SonicWall issued a warning about the high likelihood of an exploit resulting from a recently identified authentication bypass vulnerability within its SonicOS SSLVPN application that has been released to alert customers. There was a strong recommendation the company sent out to administrators to upgrade their SonicOS firewall firmware immediately so that they could mitigate the risk of unauthorized access and potentially dangerous cyberattacks. 

The SonicWall security company sent an email notification to all its customers about this critical vulnerability. In the email warning, SonicWall reiterated that the vulnerability poses an immediate threat to organizations that have SSL VPNs or SSH management enabled in their systems. This vendor stressed the importance of immediately updating firmware to protect networks and prevent malicious actors from exploiting them. 

In the latest research, SonicWall's SonicOS SSLVPN application was discovered to have an authentication bypass vulnerability, which has been rated at high risk with a CVSS score of 8.2. In this particular case, the problem affects several versions of SonicOS, specifically versions 7.1.x (all versions up to 7.1.1-7058), 7.1.2-7019, and 8.0.0-8035, which are widely utilized across both Generation 6 and Generation 7 SonicWall firewalls. 

Bishop Fox's cybersecurity team performed a thorough analysis of the vulnerability and successfully demonstrated exploitation scenarios to demonstrate the possibility of unauthenticated, remote attackers bypassing security mechanisms and hijacking active VPN sessions if they can bypass authentication mechanisms. To exploit this vulnerability, a specially crafted session cookie is sent to the SSL VPN endpoint's endpoint (/cgi-bin/sslvpnclient) that contains a base64-encoded string of null bytes. 

The misuse of this method can allow threat actors to gain access to authenticated VPN sessions without requiring valid credentials from the users, which poses a significant risk to organizations that use SonicWall firewall products as part of their security measures. The Cyber Security Research Lab has determined that as of February 7, 2025, approximately 4,500 SonicWall SSL VPN servers that connect to the internet remain unpatched and are vulnerable to exploitation by hackers. 

Initially, SonicWall published a security advisory on January 7, 2025, urging organizations to immediately update their firewall firmware to mitigate the risks associated with this high-severity vulnerability that allows authentication bypass. Several SonicOS firewall applications, which are affected by this flaw, have had firmware patches issued to address the problem. These include SonicOS 6.5.5.1-6n or later for Gen 6 firewalls, SonicOS 7.1.3-7015 or later for Gen 7 firewalls, and SonicOS 8.0.0-8037 or later for TZ80 firewalls, which have all been updated with these firmware patches. 

To mitigate the risks associated with these updates, organizations unable to implement these updates are strongly recommended to temporarily disable SSL VPN access or to restrict it only to trusted IP addresses. Despite the simplicity of the exploit, the risk it poses to corporate networks is significant; this is because it opens the door for widespread abuse from threat actors seeking to gain access to corporate networks to espionage, data exfiltration, or ransomware attacks. 

As soon as an adversary is inside a compromised environment, they will be able to escalate privileges, perform lateral movements, and further infiltrate critical systems. To combat these threats, administrators must immediately implement several key security measures that can help prevent these threats from happening. 

Too achieve this, all affected devices need to be updated with the latest firmware, SSL VPN and SSH management access should be restricted to trusted IP ranges, firewall logs should be monitored for anomalies, such as repeat session terminations or unauthorized login attempts, and multi-factor authentication (MFA) should be implemented on all devices. 

MFA, while ineffective in combating this specific exploit, remains a critical security measure that can be used against other types of cyberattacks as well. Since the risks associated with active exploitation are high, organizations should prioritize the security of their SonicWall firewalls to prevent unauthorized access to their networks, possible data breaches, and long-term network compromises.
Read more »
Vulnerabilities and Exploits
Business Security firewall exploits Security Patch SonicWall Vulnerabilities and Exploits

Thousands of SonicWall Devices Vulnerable to Critical Security Threats

 

Thousands of SonicWall network security devices are currently exposed to severe vulnerabilities, with over 20,000 running outdated firmware that no longer receives vendor support. This puts countless organizations at risk of unauthorized access and potential data breaches.

Key Findings of the Study

  • A Bishop Fox study identified more than 25,000 SonicWall SSLVPN devices exposed to the internet, making them easy targets for cybercriminals.
  • The research analyzed over 430,000 SonicWall devices globally and found that 39% of the exposed devices were running Series 7 firewalls, many of which lacked the latest security patches.
  • Over 20,000 devices were found to be running software versions no longer supported by SonicWall, with older Series 5 and Series 6 devices being the most at risk.

Impact of Vulnerabilities

The study highlighted that many of these devices remain susceptible to exploits, including authentication bypasses and heap overflow bugs disclosed earlier this year. Attackers could use these flaws to gain unauthorized access to networks, particularly when both SSL VPN and administration interfaces are exposed online.

Bishop Fox employed advanced fingerprinting techniques to reverse-engineer the encryption securing the SonicOSX firmware, allowing researchers to pinpoint the vulnerabilities specific to each device version.

Risks Posed by Unsupported Firmware

  • Many Series 5 devices, which are largely unsupported, continue to be exposed to the internet, leaving them highly vulnerable to attacks.
  • Series 6 devices, while better maintained, still include a significant number that have not applied the latest patches.
  • Approximately 28% of evaluated devices were found to have critical or high-severity vulnerabilities.

Recommendations for Companies

Organizations using SonicWall devices must take immediate steps to mitigate these risks:

  • Ensure all firmware is updated to the latest version to address known vulnerabilities.
  • Disable public exposure of SSL VPN and administration interfaces to reduce attack surfaces.
  • Regularly audit network security practices and implement robust patch management protocols.

The findings underscore the urgent need for companies to prioritize cybersecurity measures. Neglecting to update firmware and secure network devices can have severe consequences, leaving systems and sensitive data vulnerable to exploitation.

With threats growing increasingly sophisticated, staying proactive about network security is no longer optional—it’s essential.

Read more »
Tesla Vulnerabilities and Exploits
authentication bypass flaw cybersecurity vulnerabilities firewall exploits Palo Alto firewalls PAN-OS attacks privilege escalation vulnerability Tesla Vulnerabilities and Exploits

Thousands of Palo Alto Firewalls Hacked Through Recently Patched Vulnerabilities

 

 
Hackers have successfully breached thousands of Palo Alto Networks firewalls by exploiting two critical vulnerabilities recently addressed by the company.

The flaws include an authentication bypass (CVE-2024-0012) in the PAN-OS management web interface, allowing remote attackers to gain admin privileges, and a privilege escalation vulnerability (CVE-2024-9474) enabling execution of commands on firewalls with root access.

CVE-2024-9474 was disclosed earlier this week, while Palo Alto Networks initially alerted users on November 8 about a potential remote code execution flaw, now identified as CVE-2024-0012. The company continues to investigate attacks leveraging these flaws and has confirmed instances of malware deployment and command execution on compromised firewalls.

"This original activity reported on Nov. 18, 2024 primarily originated from IP addresses known to proxy/tunnel traffic for anonymous VPN services," the company stated on Wednesday.

Unit 42, Palo Alto’s threat intelligence team, added, "At this time, Unit 42 assesses with moderate to high confidence that a functional exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly available, which will enable broader threat activity."

While Palo Alto claims the impact is limited to "a very small number" of PAN-OS devices, the Shadowserver Foundation reported over 2,700 vulnerable systems globally, with approximately 2,000 already compromised.

In response, the Cybersecurity and Infrastructure Security Agency (CISA) added these vulnerabilities to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to patch their systems by December 9.

Additionally, CISA flagged another severe vulnerability (CVE-2024-5910) in the Palo Alto Networks Expedition tool, exploited in November, as well as a previous critical flaw (CVE-2024-3400) impacting over 82,000 devices earlier this year.

Palo Alto Networks has urged customers to secure management interfaces:
"Risk of these issues are greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines," the company advised.
Read more »
Subscribe to: Posts (Atom)