SonicWall has revealed {that a} lately patched essential safety flaw impacting SonicOS could have come underneath energetic exploitation, making it important that customers apply the patches as quickly as doable.
The vulnerability, tracked as CVE-2024-40766, carries a CVSS rating of 9.3 out of a most of 10.
“An improper access control vulnerability has been identified in the SonicWall SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash,” SonicWall mentioned in an up to date advisory.
With the newest improvement, the corporate has revealed that CVE-2024-40766 additionally impacts the firewall’s SSLVPN function. The problem has been addressed within the under variations –
- SOHO (Gen 5 Firewalls) – 5.9.2.14-13o
- Gen 6 Firewalls – 6.5.2.8-2n (for SM9800, NSsp 12400, and NSsp 12800) and 6.5.4.15.116n (for different Gen 6 Firewall home equipment)
The community safety vendor has since up to date the bulletin to replicate the likelihood that it could have been actively exploited.
“This vulnerability is potentially being exploited in the wild,” it added. “Please apply the patch as soon as possible for affected products.”
As non permanent mitigations, it is advisable to limit firewall administration to trusted sources or disable firewall WAN administration from Web entry. For SSLVPN, it is suggested to restrict entry to trusted sources, or disable web entry altogether.
Extra mitigations embrace enabling multi-factor authentication (MFA) for all SSLVPN customers utilizing one-time passwords (OTPs) and recommending prospects utilizing GEN5 and GEN6 firewalls with SSLVPN customers who’ve regionally managed accounts to right away replace their passwords for stopping unauthorized entry.
There are presently no particulars about how the flaw could have been weaponized within the wild, however Chinese language risk actors have, previously, unpatched SonicWall Safe Cellular Entry (SMA) 100 home equipment to determine long-term persistence.
