SonicWall’s SonicOS is weak to a essential entry management flaw that might permit attackers to realize entry unauthorized entry to assets or trigger the firewall to crash.
The flaw has acquired the identifier CVE-2024-40766 and a severity rating of 9.3 in accordance with the CVSS v3 customary, primarily based on its network-based assault vector, low complexity, no authentication, and no consumer interplay necessities.
“An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash,” reads SonicWall’s bulletin.
“This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.”
Particular fashions impacted are:Â
- Gen 5: SOHO units working model 5.9.2.14-12o and older
- Gen 6: Numerous TZ, NSA, and SM fashions working variations 6.5.4.14-109n and older
- Gen 7: TZ and NSAÂ fashions working SonicOS construct model 7.0.1-5035 and older
Supply: SonicWall
It’s endorsed that system directors transfer to the beneath variations, which tackle CVE-2024-40766:
- For Gen 5: Model 5.9.2.14-13o
- For Gen 6: Model 6.5.4.15.116n
- For SM9800, NSsp 12400, and NSsp 12800, model 6.5.2.8-2n is protected
- For Gen 7: Any SonicOS firmware model larger than 7.0.1-5035
The safety updates have been made accessible for obtain by way of mysonicwall.com.
Those that can not apply the fixes instantly are advisable to limit firewall administration entry to trusted sources or disable WAN administration entry from the web. Extra data on how to do that will be discovered on SonicWall’s assist web page.
SonicWall firewalls are extensively utilized in a broad vary of mission-critical industries and company environments and are generally focused by menace actors to realize preliminary entry to company networks.
In March 2023, suspected Chinese language hackers tracked as UNC4540 attacked SonicWall Safe Cell Entry (SMA) home equipment with customized malware that might persist by way of firmware upgrades.
The US Cybersecurity & Infrastructure Safety Company (CISA) has warned about energetic exploitation of flaws impacting SonicWall home equipment since 2022.
