Researchers have discovered a critical vulnerability in SonicWall SSL VPN devices that allows hackers to bypass multi-factor authentication (MFA), leaving users vulnerable to phishing attacks and other malicious activities. Updated firmware can provide protection for newer models, but older Gen6 devices require more extensive patching and configuration changes.
The world of cybersecurity is filled with an endless array of vulnerabilities and threats, as attackers constantly seek to find new ways to exploit weaknesses in our systems. Recently, a critical vulnerability has been discovered in SonicWall SSL VPN devices that allows attackers to bypass multi-factor authentication (MFA), leaving users vulnerable to phishing attacks and other malicious activities.
The vulnerability, identified by CVE-2024-12802, is related to the way MFA is enforced on UPN login formats. Specifically, if a user has valid credentials but does not need to use MFA due to being part of a group that is exempt from requiring it, an attacker with only valid credentials can bypass MFA and gain unauthorized access to the system.
This vulnerability was first observed by researchers at ReliaQuest, who noted that attackers were able to brute-force VPN credentials and bypass MFA on SonicWall Gen6 SSL-VPN appliances. These devices are used in a variety of settings, including businesses and organizations, as well as individuals who rely on these systems for remote access.
During the investigation, researchers found that attackers would use between 30 to 60 minutes to log in, do network reconnaissance, test credential reuse on internal systems, and log out. They also discovered that they could establish a remote connection using RDP with a shared local administrator password.
The good news is that updating the firmware on Gen7 and Gen8 devices will provide full protection against this vulnerability. However, for older models like the Gen6, users need to complete additional steps to patch the system and ensure their MFA settings are properly configured.
Gen6 SonicWall devices must be updated with the latest firmware and then follow specific remediation steps outlined by the vendor. This includes deleting existing LDAP configurations that use userPrincipalName in the "Qualified login name" field, removing locally cached or listed LDAP users, removing the SSL VPN user domain, rebooting the firewall, recreating the LDAP configuration without userPrincipalName, and creating a fresh backup to avoid restoring the vulnerable LDAP configuration later.
It's worth noting that hackers can bypass MFA protections by exploiting this vulnerability due to incomplete patching of Gen6 devices. This highlights the importance of keeping your software up to date and following best practices for security patch management.
The attackers in these cases were believed to be brokers selling initial access to threat groups, suggesting a more organized approach to their activities than simply exploiting vulnerabilities for personal gain. The use of AI-powered tools may also have played a role in the attacks, as some researchers noted that hackers used AI to develop zero-day exploits.
Overall, the vulnerability in SonicWall SSL VPN devices highlights the need for vigilance and proactive security measures to protect against emerging threats. As with any vulnerability, it's essential to stay informed about patches and best practices to minimize exposure to attackers.