Source: Bishop Fox
Early this month, SonicWall disclosed a critical authentication bypass vulnerability in SonicOS, the operating system powering many of its SSLVPN-enabled appliances. Tracked as CVE-2024-53704, this flaw enables unauthenticated remote attackers to hijack existing VPN sessions, bypassing multi-factor authentication (MFA) and gaining unauthorized access to internal networks.
According to SonicWall’s advisory, there was no evidence of exploitation in the wild at the time of disclosure. However, security researchers at Bishop Fox have demonstrated a working proof-of-concept (PoC) exploit for CVE-2024-53704.
CVE-2024-53704 is a session hijacking vulnerability that arises from an insecure base64 decoding flaw in SSLVPN session cookies. The vulnerability allows attackers to leverage the SSLVPN server as a boolean blind oracle to brute-force valid VPN session cookies.
As Rapid7 researchers explain, “Successful exploitation of this vulnerability allows a remote unauthenticated attacker to hijack existing authenticated client SSLVPN sessions.”
What makes this flaw particularly dangerous is that it does not require a valid username or password, nor does it respect MFA protections. Instead, an attacker can guess session cookie prefixes and use a faulty validation check in SonicWall’s API to confirm valid sessions.
The flaw lies in the way SonicWall’s SSLVPN authentication process handles session cookies. Attackers can systematically guess session ID prefixes and exploit a logic flaw in the verification mechanism to confirm valid credentials.
The attack follows these steps:
- Guess a valid session ID prefix and pad the value with null characters to the expected length.
- Compute a valid checksum for the partial session ID.
- Base64-encode the payload and send it to the /api/v1/client/sessionstatus API endpoint.
- Check the server’s response—if it returns a positive match, the attacker has found part of a valid session ID.
- Repeat the process to brute-force the entire session ID.
To extract the victim’s session, researchers release a Ruby proof-of-concept (PoC) exploit code for CVE-2024-53704 , which is available here.
As the researchers noted, “An attacker can leverage this technique to quickly brute force every existing session ID.”
Once a valid session ID is discovered, an attacker can use a modified open-source VPN client, such as nxBender, to hijack the session and establish a persistent connection.
SonicWall has released patched firmware versions, including SonicOS 7.1.3-7015, which address the flaw by correcting the session cookie validation logic.
Related Posts:
- Akira Ransomware Exploits SonicWall SSLVPN Flaw (CVE-2024-40766)
- SonicWall Issues Important Security Advisory for Multiple Vulnerabilities in SonicOS
- Google ban fake ID apps on Play Store
