SB2025010843 - Multiple vulnerabilities in SonicWall SonicOS
Published: January 8, 2025 Updated: February 28, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Integer overflow (CVE-ID: CVE-2024-40765)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to integer overflow in IPSec implementation. A remote user can send specially crafted IKEv2 packets to the system, trigger an integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Authentication Bypass by Primary Weakness (CVE-ID: CVE-2024-12802)
The vulnerability allows a remote attacker to bypass MFA protection.
The vulnerability exists due to the separate handling of UPN (User Principal Name) and SAM
(Security Account Manager) account names when integrated with Microsoft
Active Directory, allowing MFA to be configured independently for each login method and
potentially enabling attackers to bypass MFA by exploiting the
alternative account name.
3) Improper privilege management (CVE-ID: CVE-2024-53706)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improper privilege management in the Gen7 SonicOS Cloud platform NSv (AWS and Azure editions only). A local user can escalate privileges to root and execute arbitrary code.
4) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2024-53705)
The disclosed vulnerability allows a remote attacker to perform SSRF attacks.
The vulnerability exists due to insufficient validation of user-supplied input in the SonicOS SSH management interface. A remote attacker can establish a TCP connection to an IP address on any port when the user is logged in to the firewall.
5) Improper Authentication (CVE-ID: CVE-2024-53704)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in in the SSLVPN authentication mechanism. A remote attacker can bypass authentication process and gain unauthorized access to the network.
6) Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CVE-ID: CVE-2024-40762)
The vulnerability allows a remote attacker to bypass authentication.
The vulnerability exists due to generation of a weak token for SonicOS SSLVPN authentication. A remote attacker can guess the authentication token and gain unauthorized access to the network.
7) Path traversal (CVE-ID: CVE-2024-12806)
The vulnerability allows a remote user to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences within the management interface. A remote privileged user can send a specially crafted HTTP request and read arbitrary files on the system.
8) Format string error (CVE-ID: CVE-2024-12805)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to a format string error within management interface. A remote privileged user can send a specially crafted HTTP request that contains format string specifiers and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
9) Stack-based buffer overflow (CVE-ID: CVE-2024-12803)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error within management interface. A remote privileged user can send a specially crafted request to the system, trigger a stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.
References
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0013
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0001
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0003
- https://www.zerodayinitiative.com/advisories/ZDI-25-014/
- https://www.zerodayinitiative.com/advisories/ZDI-25-013/
- https://www.zerodayinitiative.com/advisories/ZDI-25-012/
- https://www.zerodayinitiative.com/advisories/ZDI-25-011/
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0004