Several vulnerabilities in SonicWall SonicOS could allow a remote attacker to bypass authentication.


MS-ISAC NOTICE NUMBER:

2025-002

ISSUE DATE(S):

09/01/2025

PREVIEW:

Several vulnerabilities have been discovered in SonicWall SonicOS that could allow authentication to be bypassed. SonicOS is SonicWalls' operating system designed for their firewalls and other security devices. Successful exploitation of the most severe of these vulnerabilities could allow authentication to be bypassed on the affected system. Depending on the privileges associated with the system, an attacker could then: view, modify or delete data.

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS CONCERNED:

  • Gen6 Hardware Firewalls versions prior to 6.5.5.1-6n
  • Gen7 Firewalls versions prior to 7.1.3-7015
  • Gen7 NSv versions prior to 7.0.1-5165
  • TZ80 versions prior to 8.0.0-8037

RISK:

Government:

Large and medium government entitiesHIGH

Small governmentN/A

Companies:

Large and medium business entitiesHIGH

Small business entitiesMEDIUM

TECHNICAL SUMMARY:

Several vulnerabilities have been discovered in SoincWall products, the most serious of which could allow authentication to be bypassed. The details of the vulnerabilities are as follows:

Tactical: Initial access (TA0001):

Technical: Operate a public application (T1190):

  • An incorrect authentication vulnerability in the SSLVPN authentication mechanism allows a remote attacker to bypass authentication. (CVE-2024-53704)
  • Use of the cryptographically weak pseudo-random number generator (PRNG) in the SonicOS SSLVPN authentication token generator which, in some cases, can be predicted by an attacker, potentially leading to authentication bypass. (CVE-2024-40762)

Details of lower severity vulnerabilities:

  • A Server-Side Request Forgery vulnerability in the SonicOS SSH management interface allows a remote attacker to establish a TCP connection to an IP address on any port when the user is logged in to the firewall. (CVE-2024-53705)
  • A vulnerability in the Gen7 SonicOS Cloud NSv platform (AWS and Azure editions only) allows a remote authenticated, local, low-privilege attacker to elevate privileges to “root” and potentially lead to code execution. (CVE-2024-53706)

Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication in the system context. Depending on the privileges associated with the system, an attacker could then install programs; view, modify or delete data.

RECOMMENDATIONS:

We recommend taking the following measures:

  • Apply appropriate updates provided by SoincWall to vulnerable systems immediately after appropriate testing. (M1051: Update software)
  • Backup 7.1: Establish and maintain a vulnerability management process: Establish and maintain a documented vulnerability management process for company assets. Review and update documentation annually or when significant changes within the business occur that could impact this protection.
  • Backup 7.4: Perform automated application patch management: Perform application updates on enterprise assets with automated patch management on a monthly or more frequent basis.
  • Backup 7.6: Perform automated vulnerability scans of externally exposed enterprise assets: Perform automated vulnerability scans of externally exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly or more frequent basis.
  • Backup 7.7: Fix detected vulnerabilities: Remediate detected vulnerabilities in software through processes and tools on a monthly or more frequent basis, depending on the remediation process.
  • Apply the principle of least privilege to all systems and services. Run all software as an unprivileged user (without administrative privileges) to lessen the effects of a successful attack. (M1026: Privileged account management)
  • Backup 4.7: Manage default accounts on company assets and software: Manage default accounts on company assets and software, such as root, administrator, and other preconfigured vendor accounts. Example implementations may include: disabling default accounts or rendering them unusable.
  • Backup 5.4: Restrict administrator privileges to dedicated administrator accounts: Limit administrator privileges to dedicated administrator accounts on company assets. Conduct general computing activities, such as browsing the Internet, emailing, and using the Productivity Suite, from the user's primary, non-privileged account.
  • Prevent access to file shares, remote access to unnecessary systems and services. Mechanisms to limit access may include the use of network hubs, RDP gateways, etc. (M1035: Limit access to resources on the network)
  • Use intrusion detection signatures to block traffic at network boundaries. (M1031: Network intrusion prevention)
  • Backup 13.3: Deploy a network intrusion detection solution: Deploy a network intrusion detection solution on company assets where applicable. Example implementations include using a network intrusion detection system (NIDS) or equivalent cloud service provider (CSP) service.
  • Backup 13.8: Deploy a network intrusion prevention solution: Deploy a network intrusion prevention solution, if applicable. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
  • Use features to detect and block conditions that could lead to or indicate the occurrence of a software exploit. (M1050: Exploit protection)
  • Backup 13.10: Perform application layer filtering: Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.
Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News

CISA publishes seven advice on industrial control systemsCISA publishes seven advice on industrial control systems

CISA publishes seven advice on industrial control systems

July 1, 2025
Several vulnerabilities in Citrix products could allow the disclosure of sensitive dataSeveral vulnerabilities in Citrix products could allow the disclosure of sensitive data

Several vulnerabilities in Citrix products could allow the disclosure of sensitive data

June 27, 2025

You may have missed

CISA publishes seven advice on industrial control systemsCISA publishes seven advice on industrial control systems

CISA publishes seven advice on industrial control systems

July 1, 2025
Several vulnerabilities in Citrix products could allow the disclosure of sensitive dataSeveral vulnerabilities in Citrix products could allow the disclosure of sensitive data

Several vulnerabilities in Citrix products could allow the disclosure of sensitive data

June 27, 2025
CISA publishes five advice from industrial control systemsCISA publishes five advice from industrial control systems

CISA publishes five advice from industrial control systems

June 17, 2025
Ransomware actors use unrefined surveillance and remote management to compromise the provider of public services billing softwareRansomware actors use unrefined surveillance and remote management to compromise the provider of public services billing software

Ransomware actors use unrefined surveillance and remote management to compromise the provider of public services billing software

June 12, 2025
Several vulnerabilities in Adobe products could allow an arbitrary code executionSeveral vulnerabilities in Adobe products could allow an arbitrary code execution

Several vulnerabilities in Adobe products could allow an arbitrary code execution

June 10, 2025
Cisa publishes four reviews of industrial control systemsCisa publishes four reviews of industrial control systems

Cisa publishes four reviews of industrial control systems

June 10, 2025