Nearly 4,500 internet-exposed SonicWall firewalls were discovered by Bishop Fox researchers to be at risk of having their VPN sessions taken over in attacks exploiting a recently patched high-severity authentication bypass flaw within the SonicOS SSLVPN application, tracked as CVE-2024-53704, according to BleepingComputer.
Potential intrusions commence with the delivery of a specially crafted session cookie with a base64-encoded null bytes string to the '/cgi-bin/sslvpnclient' SSL VPN authentication endpoint, prompting an improper session validation that logs out firewall users and enables attacker session hijacking, a report from Bishop Fox revealed. "With that, we were able to identify the username and domain of the hijacked session, along with private routes the user was able to access through the SSL VPN," said researchers. Organizations with firewalls running on SonicOS versions 7.1.x, 7.1.2-7019, and 8.0.0-8035 have been urged to immediately apply patches issued by SonicWall earlier last month.
