SonicWall confirms active exploitation of two SMA vulnerabilities

SonicWall is reporting active exploitation of two vulnerabilities affecting its SMA Series remote access devices. These vulnerabilities can allow network infiltration and lateral movement once attackers gain entry to corporate networks. 

Vulnerability summary:

• CVE-2024-38475 (CVSS score 9.8) - path traversal flaw
• CVE-2023-44221 (CVSS score 7.2) - OS command injection flaw

Attackers can load any file from remote locations and execute it, so the hacker just references the file and can easily execute attacks. Compromised appliances "sit right in the data path, so can readily access decrypted data or breach encryption keys used for cryptography."

The company has strongly urged all customers to immediately review their SMA devices for signs of unauthorized access and prioritize immediate patching of all affected systems.

Both vulnerabilities affect the SMA series SMA 200, 210, 400, 410 and 500v. SonicWall reports the flaws are fixed as of firmware 10.2.1.14-75sv.

The attack is dubbed SonicBoom and has the following attack chain:

1. First, attackers exploit CVE-2024-38475 to send a crafted HTTP request to the SMA appliance containing a URL-encoded question mark (e.g., %3F) along with a manipulated path. This tricks the server into exposing arbitrary files from the filesystem, potentially including sensitive authentication data. For example, a request like GET /portal/../../../../etc/passwd%3F HTTP/1.1 might return the contents of the /etc/passwd file, completely bypassing intended access controls.
2. Once critical information is extracted, attackers leverage CVE-2023-44221 for the post-authentication command injection vulnerability to remotely execute code or escalate privileges. If configuration files or administrator credentials were obtained in the first step, the entire system becomes compromised.