- Bishop Fox found a way to abuse a Sonicwall VPN fault
- It allows threat actors to avoid authentication and kidnapping sessions
- There are thousands of vulnerable end points
An important vulnerability in the Sonicwall VPN that can be exploited to kidnap sessions and access the target network has now seen its first proof of concept (POC), which means that it is only a matter of time before cybercriminals begin exploit it in nature.
In early January 2025, Sonicwall raised the alarm of vulnerability in Sonica and urged its users to apply the solution immediately. The defect is tracked as CVE-2024-53704, and is described as an inappropriate authentication error in the SSLVPN authentication mechanism. He was given a gravity score of 9.8/10 (critic) and was told that he could abuse a remote attacker to omit authentication.
Impacted the versions of Sonica 7.1.x (until 7.1.1-7058), 7.1.2-7019 and 8.0.0-8035. Sonicwall launched Sonic versions 8.0.0-8037 and later, 7.0.1-5165 and higher, 7.1.3-7015 and higher, and 6.5.5-6n and more, to address the error. At that time, there were more than 4,500 final points exposed to the Internet.
Concept test
Now, since Sonicwall received enough time to patch, Bishop Fox security researchers presented more details about vulnerability, as well as a POC. After an “significant” reverse engineering effort, Bishop Fox said that vulnerability could be exploited by sending a personalized session cookie that contains a null bytes chain coded by Base64 to the end point of SSLVPN authentication.
This results in the end point assuming that the application was associated with an active VPN session and validates it incorrectly. As a result, the objective is recorded, while the attacker has access to the session, including the ability to read the victim’s virtual office markers, access the VPN client configuration configuration, open a VPN tunnel and more.
“With that, we were able to identify the username and the domain of the kidnapped session, along with the private routes that the user could access through the VPN SSL,” the researchers said.
Through Bleepingcomputer
