CVE-2024-53704 SonicWall SonicOS SSLVPN Improper Authentication Vulnerability

CVE-2024-53704 Description

CVE-2024-53704 is a critical security vulnerability identified in SonicWall’s SonicOS, specifically affecting the SSLVPN authentication mechanism. This flaw allows remote, unauthenticated attackers to bypass standard authentication protocols, potentially granting unauthorized access to sensitive networks. The vulnerability stems from improper handling of Base64-encoded session cookies within the SSLVPN component, enabling malicious actors to hijack active VPN sessions without valid credentials.

Affected Products and Versions

The following SonicWall products and firmware versions are susceptible to CVE-2024-53704:

• SonicWall SonicOS:

  • Versions 7.1.x (7.1.1-7058 and earlier)
  • Version 7.1.2-7019
  • Version 8.0.0-8035

• SonicWall Gen 7 Next Generation Firewalls (NGFW):

  • TZ Series: TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670
  • NSa Series: NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700
  • NSsp Series: NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700

• SonicWall Gen 7 NSv Virtual Firewalls:

  • NSv 270, NSv 470, NSv 870

• SonicWall TZ80:

  • Version 8.0.0-8035

Organizations utilizing these products should assess their firmware versions and apply necessary updates to mitigate potential risks.

Mitigation and Remediation Steps

To safeguard systems against potential exploitation of CVE-2024-53704, the following actions are recommended:

1. Immediate Firmware Update: SonicWall has released patches addressing this vulnerability. Administrators should promptly update their devices to the latest firmware versions as detailed in SonicWall’s advisory.

   SonicWall PSIRT

2. Restrict SSLVPN Access: Limit SSLVPN access to trusted sources only. If SSLVPN access from the internet is unnecessary, consider disabling it to reduce exposure.

   SonicWall PSIRT

3. Continuous Network Monitoring: Implement continuous monitoring to detect unusual activities that may indicate exploitation attempts, such as unauthorized session hijacking or access to sensitive resources.

4. User Education: Inform users about the importance of logging out from VPN sessions when not in use and recognizing signs of potential session hijacking.

Impact of Successful Exploitation

Exploiting CVE-2024-53704 can have severe consequences, including:

• Unauthorized Network Access: Attackers can gain access to internal networks, potentially leading to data breaches or further exploitation.

• Session Hijacking: Malicious actors can hijack active SSLVPN sessions, impersonating legitimate users and accessing sensitive information.

• Multi-Factor Authentication Bypass: The vulnerability allows attackers to bypass multi-factor authentication (MFA), undermining an essential security layer.

  Bishop Fox

• Service Disruption: Exploitation may lead to repeated termination and reconnection of user sessions, causing operational disruptions.

  AttackerKB

Proof of Concept

Security researchers from Bishop Fox have demonstrated the exploitability of CVE-2024-53704. Their analysis revealed that an attacker could remotely hijack active SSLVPN sessions without authentication. The exploit involves manipulating the SSLVPN server to leak valid session cookies, allowing unauthorized access to the network. As of February 7, 2025, approximately 4,500 internet-facing SonicWall SSLVPN servers remained unpatched, highlighting the urgency for immediate remediation.

In summary, CVE-2024-53704 presents a significant security risk to organizations using affected SonicWall products. Immediate action, including firmware updates and access restrictions, is essential to protect against potential exploitation.