The Shield53 Threat Intelligence Team is issuing this bulletin to alert you about a critical access control vulnerability in SonicWall SSL-VPN devices, which is currently being exploited in the wild. Organizations using SonicWall SSL-VPN should take immediate action to mitigate the risk of exploitation.
Summary
A critical access control flaw, tracked as CVE-2024-1234, has been discovered in SonicWall’s SSL-VPN devices, allowing unauthenticated attackers to bypass access controls and execute code remotely. SonicWall issued patches for this vulnerability in February 2024, but recent reports confirm active exploitation in live attacks against unpatched systems.
Details of the Exploitation
This vulnerability enables attackers to bypass authentication controls, granting them remote access to internal networks. With this access, threat actors can execute arbitrary commands, compromise sensitive data, and potentially launch further attacks, such as ransomware or lateral movement across the network.
Security researchers have observed an increase in activity surrounding this flaw, including malicious campaigns targeting organizations that have not yet applied the available patches. Some of the attacks appear to be linked to advanced persistent threat (APT) groups, leveraging this vulnerability for espionage and data theft.
Observations
While Shield53 has not detected any specific attacks leveraging CVE-2024-1234 within our client environments, the increasing activity around this vulnerability suggests imminent risk, particularly for organizations that rely heavily on SonicWall SSL-VPN for remote access.
Given the widespread usage of SonicWall products in enterprise environments, we strongly encourage all clients to review their current patch levels and immediately apply the relevant security updates if they haven’t already done so.
Recommendation: Immediate Patching Required
SonicWall has released a patch to address this critical vulnerability. Shield53 recommends the following actions:
-
Ensure all SonicWall SSL-VPN devices are updated to the latest firmware version containing the patch for CVE-2024-1234.
-
Review and implement network segmentation and firewall rules to limit exposure of VPN appliances to the public internet.
-
Monitor network logs for any unusual access patterns or attempts to exploit the SSL-VPN service.
-
Increase alerting on SonicWall VPN access to detect potential anomalous behaviors early.
Additional Guidance
SonicWall’s guidance on this vulnerability is clear: organizations should apply patches without delay. Threat actors are actively exploiting this flaw, and unpatched systems remain vulnerable to sophisticated attacks that can result in severe security breaches.
Product Vulnerability Affected Versions Patching Guidance SonicWall SSL-VPNCVE-2024-1234 Firmware prior to 10.2.0.0 Upgrade to the latest fixed release.
References:
-
SonicWall Security Advisory: SonicWall Security Advisory Link
For any further inquiries or assistance with patching, please reach out to the Shield53 Threat Intelligence Team.