Attackers exploited old flaws to breach SonicWall SMA appliances (CVE-2024-38475, CVE-2023-44221)

Attackers have been using two previously known vulnerabilities (CVE-2024-38475, CVE-2023-44221) to compromise SonicWall secure mobile access devices, the vendor has confirmed by updating the associated advisories.

CISA has added the two flaws to its Known Exploited Vulnerabilities catalog, and Watchtowr researchers have analyzed how they can be being chained together and have released a proof-of-concept exploit (or, as they call it, a “Detection Artefact Generator”).

The exploited vulnerabilities (CVE-2024-38475, CVE-2023-44221)

Sonicwall SMA100 appliances are VPN gateways used by organizations to allow employees to safely access enterprise applications.

CVE-2024-38475 is a path traversal vulnerability in Apache HTTP Server v2.4.59 and earlier, which allows unauthenticated attackers to map URLs to file system locations that are permitted to be served by the server and, ultimately, to read any file the webserver can read. (Sonicwall’s SMA 100 appliances use a modified version of the Apache HTTP Server.)

Watchtowr researchers discovered that they could use this vulnerability to download the SQLite database containing – among other things – session identifiers for currently active sessions and then extract a currently logged-in administrator session ID and use that info to gain administrative control over vulnerable appliances.

CVE-2023-44221 is an OS command injection vulnerability in the appliance’s SSL-VPN management interface that can be only leveraged by authenticated attackers.

Luckily for the attackers, CVE-2024-38475 allows them to bypass authentication and gain administrative privileges on the device, and CVE-2023-44221 allows them to inject commands as a nobody user.

What to do?

The two vulnerabilities affect Sonicwall SMA 200, SMA 210, SMA 400, SMA 410, and SMA 500v devices.

CVE-2023-44221 was patched in December 2023 in firmware version 10.2.1.10-62sv, CVE-2024-38475 in December 2024 in firmware version 10.2.1.14-75sv and later.

CISA and Sonicwall haven’t shared details about what the attackers are doing once they’ve compromised targeted devices, and we still don’t know how long the attackers have been leveraging the two flaws.

Unfortunately, Sonicwall SMA appliances are regularly breached through both known and previously unknown (aka “zero-day”) vulnerabilities.

Organizations that don’t patch their devices regularly should investigate whether they’ve been compromised in these and earlier attacks.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!