Bishop Fox researchers successfully exploited CVE-2024-53704, an authentication bypass in unpatched SonicWall firewalls that allows remote attackers to hijack active SSL VPN sessions and gain unauthorized network access.

While the vulnerability required significant reverse engineering to uncover, the exploit itself is trivial, emphasizing the urgency for organizations to apply SonicWall’s January 2025 patches.

TRANSCRIPT:

[00:00:00] Hey y'all, this is Jon Williams, Security Researcher at Bishop Fox. I want to talk to you today about CVE-2024-53704, an authentication bypass affecting the SSL VPN component of SonicWall firewalls. The vendor initially reported this issue on January 7th, just over a month ago. Shortly after the advisory was released, our team was able to reproduce the vulnerability and write proof of concept code to exploit it.

[00:00:26] What we learned was that the exploit itself is pretty trivial, but the impacts are severe. An unprivileged attacker can send a request to the SSL VPN, and as long as at least one VPN user is connected, hijack their session. This allows them to identify the compromised user, obtain a configuration file from NetExtender, see what private routes the user can access, and initiate a VPN tunnel connection, all without knowing the user's password.

[00:00:54] That means the attacker can gain access to anything the victim can reach inside the private network. And if they want to, the attacker can log out of the session and disconnect the authenticated user instantly. Sometimes the words used to describe a vulnerability don't do it justice. And in this case, I think describing it as a session hijacking vuln conveys a lot more than calling it an auth bypass.

[00:01:16] It's opportunistic. Any session can be taken over. The attacker doesn't have to know who they're targeting. Now, the good news is, is that patches are available, so if you're a SonicWall customer, be sure to patch all your affected devices immediately. At this time, we're still seeing thousands of vulnerable devices scattered across the Internet.

[00:01:34] We notified our Cosmos customers which of their appliances were vulnerable within days of the advisory and then followed up again once we had an exploit to demonstrate the impacts for anybody who hadn't remediated yet. That, of course, provided their security teams with more ammunition to get those updates done faster.

[00:01:51] For the rest of you, we publicly announced our exploit. Early on to help you empower your own security teams to take action in the spirit of responsible disclosure. We withheld the details for a couple of weeks until 90 days from the date of the initial report and also 30 days after patches were released. To ensure that affected customers had a full administrative cycle date. That time is up now. So head on over to our blog to read up on it.

[00:02:15] Thanks for watching. We'll see you next time.