SonicWall has recently disclosed a critical authentication bypass vulnerability in SonicOS, the operating system powering many of its SSLVPN-compatible devices. The vulnerability, CVE-2024-53704, allows unauthenticated remote attackers to hijack active VPN sessions, bypassing authentication measures, including the use of multi-factor authentication (MFA), to gain unauthorized access to internal networks.
Security researchers have confirmed the issue and developed a proof-of-concept (PoC) exploit that demonstrates session hijacking via a flaw in the base64 parsing of SSLVPN session cookies.
| Product | SonicWall SSL VPN |
| Date | 2025-02-04 08:14:03 |
| Information |
|
Technical Summary
CVE-2024-53704 is a session hijacking vulnerability resulting from weak validation in SonicWall’s SSLVPN authentication process. The flaw allows attackers to use the SSLVPN server as a boolean blind oracle to brute-force valid session cookies without the need for valid credentials.
The attack unfolds as follows:
- Guess a partial session ID and pad it with null characters.
- Calculate a valid checksum for the partial session.
- Base64 encode the payload and send it to the
/api/v1/client/sessionstatusendpoint. - Analyze the server response to confirm valid sessions.
- Repeat the process to brute-force the full session ID.
- Use an open-source VPN client, such as
nxBender, to hijack the session and gain access.
Once a valid session has been hijacked, the attacker can establish a persistent connection and move laterally within the network.
Recommendations
Organizations using affected SSLVPN-compatible SonicWall devices should:
- Immediately apply the latest firmware update, such as SonicOS 7.1.3-7015, which fixes the defect in session validation.
- Monitor active VPN sessions for suspicious activity and force the disconnection of all active sessions after applying the patch.
- Implement session expiration policies to reduce the risk of long-lived session hijacking.
- Enable additional monitoring and logging to detect unauthorized access attempts.
- Consider restricting VPN access to known IP addresses or trusted devices where possible.
[Callforaction-THREAT-Footer]
