Alert essentials:

Updates have been released for SonicWall Gen6 and Gen7.

Deploy the fixes urgently to patch multiple vulnerabilities.

 

Email Team

 

Detailed threat description:

Multiple vulnerabilities have been identified in various Gen6 and Gen7 firewalls. The most critical weakness is CVE-2024-53704, an authentication bypass in SonicOS SSLVPN. An improper authentication mechanism allows a remote attacker to bypass it.

CVE-2024-53706 is a local privilege escalation vulnerability in the Gen7 SonicOS Cloud platform NSv (AWS and Azure editions only.) It allows an authenticated local low-privileged attacker to elevate privileges to `root,` potentially leading to code execution.

An attacker can predict a cryptographically weak Pseudo-Random Number Generator (PRNG) in the SonicOS SSLVPN authentication token generator. The forecast has the potential to result in a verification bypass with CVE-2024-40762.

With CVE-2024-53705, a remote attacker can establish a TCP connection to an IP address on any port when the user is logged into the firewall. The medium-severity Server-Side Request Forgery vulnerability is in the SonicOS SSH management interface and can potentially lead to further network compromise.

However, the manufacturer has no evidence that these flaws are actively exploited; users are urged to update their firewalls immediately.

Impacts on healthcare organizations:

The potential consequences of these vulnerabilities on patient data security are severe and multifaceted.

These vulnerabilities can expose sensitive information and disrupt healthcare operations, possibly resulting in delays in medical procedures and damage to the organizational reputation.

By adhering to good cybersecurity hygiene, healthcare networks can significantly reduce their exposure to vulnerability risks and enhance their overall cybersecurity posture.

 

Affected Products / Versions:

CVEs

  • CVE-2024-40762 – CWE-338 (CVSS 7.1)
  • CVE-2024-53704 – CWE-287 (CVSS 8.2)
  • CVE-2024-53705 – CWE-918 (CVSS 6.5)
  • CVE-2024-53706 – CWE-269 (CVSS 7.8)
CVE Affected Versions Affected Models
CVE-2024-40762 Gen7 Firewalls 7.1.x (7.1.1-7058 and older versions), and version 7.1.2-7019 TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700, TZ80
CVE-2024-53704 Gen7 Firewalls 7.1.x (7.1.1-7058 and older versions), and version 7.1.2-7019 TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700, TZ80
CVE-2024-53705 Gen6 Hardware Firewalls 6.5.4.15-117n and older versions
Gen7 Firewalls 7.0.x (7.0.1-5161 and older versions)
Gen7 NSv 7.0.x (7.0.1-5161 and older versions), and version 7.1.2-7019
SOHOW, TZ300, TZ300W, TZ400, TZ400W, TZ500, TZ500W, TZ600, NSA 2650, NSA 3600, NSA 3650, NSA 4600, NSA 4650, NSA 5600, NSA 5650, NSA 6600, NSA 6650, SM 9200, SM 9250, SM 9400, SM 9450, SM 9600, SM 9650, TZ300P, TZ600P, SOHO 250, SOHO 250W, TZ350, TZ350W
TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700
NSv 270, NSv 470, NSv 870, TZ80
CVE-2024-53706 Gen7 Cloud Platform 7.1.x (7.1.1-7058 and older versions), and version 7.1.2-7019 NSv 270, NSv 470, NSv 870 (Only AWS and Azure editions)

 

Platform Fixed Platforms Fixed Versions
Gen6 Hardware Firewalls SOHOW, TZ300, TZ300W, TZ400, TZ400W, TZ500, TZ500W, TZ600, NSA 2650, NSA 3600, NSA 3650, NSA 4600, NSA 4650, NSA 5600, NSA 5650, NSA 6600, NSA 6650, SM 9200, SM 9250, SM 9400, SM 9450, SM 9600, SM 9650, TZ300P, TZ600P, SOHO 250, SOHO 250W, TZ350, TZ350W 6.5.5.1-6n and higher
Gen7 NSv NSv 270, NSv 470, NSv 870 7.0.1-5165 and higher
Gen7 Firewalls TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700 7.0.1-5165 and higher – 7.1.3-7015 and higher
TZ80 TZ80 8.0.0-8037 and higher

 

Recommendations

Engineering recommendations:

  • Apply the patch as soon as possible for impacted products
  • To minimize the potential impact of SSLVPN vulnerabilities, please ensure that access is limited to trusted sources or disable SSLVPN access from the Internet
  • To minimize the potential impact of an SSH vulnerability, we recommend restricting firewall management to trusted sources or disabling firewall SSH management from Internet access
  • Enable multi-factor authentication (MFA) for all VPN accounts and user access
  • Disable WAN management from internet access if not required
  • Regularly monitor firewall and VPN logs, paying close attention to WAN and SSL VPN login events for unusual activity
  • Configure VPN services to use non-default ports to reduce exposure to known attack vectors

 

Leadership/ Program recommendations:

  • Consider upgrading or replacing outdated SonicWall devices, especially those running unsupported firmware versions
  • Implement strict access control policies, limiting VPN access to only necessary users and IP ranges

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

 

References: