Critical Authentication Bypass in SonicOS SSLVPN (CVE-2024-53704)

ISGroup Cybersecurity

SonicWall has recently disclosed a critical authentication bypass vulnerability in SonicOS, the operating system powering many of its SSLVPN-compatible devices. The vulnerability, CVE-2024-53704, allows unauthenticated remote attackers to hijack active VPN sessions, bypassing authentication measures, including the use of multi-factor authentication (MFA), to gain unauthorized access to internal networks.

Security researchers have confirmed the issue and developed a proof-of-concept (PoC) exploit that demonstrates session hijacking via a flaw in the base64 parsing of SSLVPN session cookies.

ProductSonicWall SSL VPN
Date2025-02-04 08:14:03
Information
  • Trending
  • Fix Available

Technical Summary

CVE-2024-53704 is a session hijacking vulnerability resulting from weak validation in SonicWall’s SSLVPN authentication process. The flaw allows attackers to use the SSLVPN server as a boolean blind oracle to brute-force valid session cookies without the need for valid credentials.

The attack unfolds as follows:

  1. Guess a partial session ID and pad it with null characters.
  2. Calculate a valid checksum for the partial session.
  3. Base64 encode the payload and send it to the /api/v1/client/sessionstatus endpoint.
  4. Analyze the server response to confirm valid sessions.
  5. Repeat the process to brute-force the full session ID.
  6. Use an open-source VPN client, such as nxBender, to hijack the session and gain access.

Once a valid session has been hijacked, the attacker can establish a persistent connection and move laterally within the network.

Recommendations

Organizations using affected SSLVPN-compatible SonicWall devices should:

  • Immediately apply the latest firmware update, such as SonicOS 7.1.3-7015, which fixes the defect in session validation.
  • Monitor active VPN sessions for suspicious activity and force the disconnection of all active sessions after applying the patch.
  • Implement session expiration policies to reduce the risk of long-lived session hijacking.
  • Enable additional monitoring and logging to detect unauthorized access attempts.
  • Consider restricting VPN access to known IP addresses or trusted devices where possible.

[Callforaction-THREAT-Footer]