Threat actors, including those affiliated with the Akira ransomware group, have begun exploiting a critical remote code execution (RCE) vulnerability in SonicWall’s Gen 5, Gen 6, and some Gen 7 firewall products. This vulnerability, identified as CVE-2024-40766, allows attackers to gain complete control of affected devices and potentially cause them to crash. SonicWall disclosed the bug on August 22 and patched it, but attack activity has prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities catalog, requiring federal agencies to address it by September 30.
Vulnerability Details
The flaw, an improper access control bug in SonicWall SonicOS, affects management access components on Gen 5 and Gen 6 devices and some Gen 7 devices running SonicOS 7.0.1-5035 or earlier. SonicWall urges customers to update to fixed versions as soon as possible and limit firewall management to trusted sources, disable WAN management over the internet, and secure SSLVPN access. The company also recommends enabling multifactor authentication (MFA) for all SSLVPN users.
Popular Target
SonicWall’s products are a popular target due to the elevated privileges attackers can gain on a network, allowing access to all traffic and sensitive data. Network security products like firewalls, routers, and VPNs are often compromised to gain initial access, as seen with recent attacks on Fortinet, Ivanti, and Cisco devices. CISA has issued a binding directive for federal agencies to secure management interfaces for network devices.
Recommendations
SonicWall advises customers to:
- Update to fixed versions of the technology
- Limit firewall management to trusted sources
- Disable WAN management via the internet
- Secure SSLVPN access
- Enable MFA for all SSLVPN users
- Change locally managed SSLVPN user passwords immediately
Reference: Akira Ransomware Actors Exploit SonicWall Bug for RCE,” Dark Reading, September 9, 2024
