Analysis Summary

To fix a serious vulnerability affecting its firewalls, SonicWall has published security patches. If properly exploited, this flaw might allow malicious actors to gain unauthorized access to the devices. The vulnerability has been classified as an inappropriate access control flaw and is tracked as CVE-2024-40766 (CVSS score: 9.3).

The SonicWall SonicOS management access contains an inappropriate access control vulnerability that could allow unauthorized resource access and, under some circumstances, crash the firewall. Devices using SonicOS 7.0.1-5035 or earlier, as well as Gen 7 devices running SonicWall Firewall Gen 5 and Gen 6 are affected by this vulnerability.

Although it is advised that customers upgrade the most recent firmware, SonicWall stated that the vulnerability cannot be replicated in SonicOS firmware versions greater than 7.0.1-5035. The vendor of networking equipment does not disclose the vulnerability that is being used in the wild. Having said that, users must act immediately to apply the fixes to protect themselves from any dangers.

If users are unable to deploy the patch right away, they should stop firewall WAN management access from online sources or limit firewall management access to reliable sources. A suspected China-nexus threat actor, identified as UNC4540, was observed targeting unpatched SonicWall Secure Mobile Access (SMA) 100 equipment last year in an attempt to drop Tiny SHell and create long-term persistence, according to Mandiant, a Google-owned company.

To evade detection, several activity clusters associated with China have progressively refocused their efforts to leverage edge infrastructure for target breaches and primary remote access. Among these is an intrusion set known as Velvet Ant, which was uncovered recently. It uses a zero-day attack against Cisco Switch appliances to spread a new malware known as VELVETSHELL, which is a modified mix of Tiny SHell and 3proxy.

Impact

• Unauthorized Access
• Security Bypass
• Cyber Espionage

Indicators of Compromise

CVE

• CVE-2024-40766

Affected Vendors

Remediation

• Refer to SonicWall Advisory for patch, upgrade, or suggested workaround information.
• Organizations must test their assets for the vulnerability mentioned above and apply the available security patch or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations must stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.