Executive Summary

On December 5, 2024, a critical vulnerability identified as SNWLID-2024-0018 was disclosed, affecting the SonicWall SMA100 series, a widely utilized SSL-VPN solution. This vulnerability poses significant risks, as it is actively being exploited in the wild, potentially allowing unauthorized access and remote code execution. Organizations utilizing affected versions are urged to take immediate action to mitigate these risks.

Technical Information

The vulnerability SNWLID-2024-0018 affects the SonicWall SMA100 series, specifically impacting models such as SMA 200, 210, 400, 410, and 500v. The affected firmware versions include 10.2.1.13-72sv and earlier. The advisory was first published on December 3, 2024, and highlights multiple vulnerabilities that could be exploited by attackers. The nature of these vulnerabilities suggests that they may allow for remote code execution or unauthorized access, which could lead to severe data breaches and compromise sensitive information.

The CISA Known Exploited Vulnerabilities Catalog has listed this vulnerability, indicating its active exploitation in the wild. Organizations are strongly encouraged to review their systems and apply the necessary updates to mitigate risks associated with this vulnerability. The National Vulnerability Database (NVD) has also cataloged this vulnerability under the following CVEs: CVE-2024-38475, CVE-2024-45318, and CVE-2024-53703. For further details, refer to the official advisory at SonicWall: SonicWall Security Advisory SNWLID-2024-0018.

Exploitation in the Wild

Reports indicate that attackers are actively leveraging the vulnerabilities associated with SNWLID-2024-0018 to gain unauthorized access to systems. Specific exploitation techniques have not been publicly disclosed, but the vulnerabilities' nature suggests that they could facilitate remote code execution or unauthorized access. Indicators of Compromise (IOCs) related to this vulnerability may include unusual network traffic patterns, unauthorized login attempts, and unexpected changes to system configurations. Organizations should remain vigilant and monitor their systems for any signs of exploitation.

APT Groups using this vulnerability

While specific Advanced Persistent Threat (APT) groups targeting this vulnerability have not been publicly identified, the nature of the vulnerabilities suggests that they could attract interest from various threat actors, including state-sponsored groups and cybercriminal organizations. These groups often target sectors such as finance, healthcare, and critical infrastructure, where the potential for data theft and disruption is high. Organizations in these sectors should prioritize the application of security updates and the implementation of robust security measures to protect against potential exploitation.

Affected Product Versions

The following versions of the SonicWall SMA100 series are affected by this vulnerability: SMA 100 Series (including models SMA 200, 210, 400, 410, 500v) with firmware versions 10.2.1.13-72sv and earlier. Organizations using these versions are strongly advised to take immediate action to update their systems to the latest firmware to mitigate the risks associated with this vulnerability.

Workaround and Mitigation

Organizations are advised to take the following steps to mitigate the risks associated with SNWLID-2024-0018:

Immediately review the SonicWall advisory and apply the latest firmware updates to affected devices. This is crucial to patch the vulnerabilities and prevent potential exploitation.

Monitor network traffic for any unusual activity that may indicate exploitation attempts. Implementing intrusion detection systems can help identify and respond to suspicious behavior in real-time.

Implement strict access controls to ensure that only authorized personnel have access to the management interfaces of the affected devices. This includes enforcing strong password policies and utilizing multi-factor authentication where possible.

Conduct regular security assessments and vulnerability scans to identify and remediate any other potential weaknesses in the network.

Educate employees about the risks associated with these vulnerabilities and the importance of adhering to security protocols.

By following these recommendations, organizations can significantly reduce their exposure to the risks associated with this vulnerability.

References

• SonicWall Security Advisory: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018
• CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• NVD CVE-2024-38475: https://nvd.nist.gov/vuln/detail/CVE-2024-38475

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complexities of cybersecurity through our Continuous Threat and Exposure Management (CTEM) platform. Our solutions are designed to provide organizations with the tools and insights needed to proactively manage their security posture and respond effectively to emerging threats. We are happy to answer any questions you might have about this report or any other issues at ops@rescana.com.