SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA (CVE-2023-44221, CVE-2024-38475)
Another day, another edge device being targeted - it’s a typical Thursday! In today’s blog post, we’re excited to share our previously private analysis of the now exploited in-the-wild N-day vulnerabilities affecting SonicWall’s SMA100 appliance. Over the last few months, our client base has fed us rumours of in-the-wild exploitation of SonicWall systems, and thus, this topic has had our attention for a while. Specifically, today, we’re going to be analyzing and reproducing: CVE-2024-38475 - Apache HTTP Pre-Authentication Arbitrary File Read Discovered by Orange Tsai Although this is a CVE attached to the Apache HTTP Server, it is important to note that due to how CVEs are now assigned, a seperate CVE will not be assigned for SonicWall's usage of the vulnerable version. This makes the situation confusing for those responding to CISA's KEV listing - CISA is referring to the two vulnerabilities in combination being used to attack SonicWall devices. You can see this evidenced in SonicWall's updated PSIRT advisory: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0018 CVE-2023-44221 - Post-Authentication Command Injection Discovered by "Wenjie Zhong (H4lo) Webin lab of DBappSecurity Co., Ltd” As of the day this research was published, CISA had added these vulnerabilities to the Known Exploited Vulnerabilities list. Do you know the fun things about these posts? We can copy text from previous posts about edge devices:
