Full Report
The Akira ransomware gang is actively exploiting CVE-2024-40766, a year-old critical-severity access control vulnerability, to gain unauthorized access to SonicWall devices. [...]
Analysis Summary
# Vulnerability: Critical Access Control Flaw in SonicWall SSLVPN (CVE-2024-40766) Exploited by Akira Ransomware
## CVE Details
- CVE ID: CVE-2024-40766
- CVSS Score: Critical (Specific numerical score not provided in text, but context implies high severity due to active exploitation)
- CWE: Access Control Vulnerability (Implied)
## Affected Systems
- Products: SonicWall SSL VPN endpoints, Firewalls running SonicOS
- Versions:
- Gen 5 (SOHO): Version 5.9.2.14-12o and older
- Gen 6 (TZ, NSA, SM models): Version 6.5.4.14-109n and older
- Gen 7 (TZ, NSA models): Build version 7.0.1-5035 and older
- Configurations: Devices with unpatched firmware and potentially default group/portal permissions.
## Vulnerability Description
CVE-2024-40766 is a critical-severity access control vulnerability patched by SonicWall in August of the previous year. It allows unauthorized resource access and can lead to firewall crashes. When patched, SonicWall strongly recommended immediate password resets for locally managed SSLVPN accounts, as failure to do so allows attackers to use pre-compromised credentials to bypass MFA/TOTP after an update. Current exploitation by Akira ransomware leverages this flaw, sometimes utilizing broad access permissions tied to the 'Default Users Group' for VPN authentication or default public access to the Virtual Office Portal.
## Exploitation
- Status: Actively exploited in the wild (by Akira ransomware group)
- Complexity: Low/Medium (Leveraging existing access methods post-patching failure)
- Attack Vector: Network
## Impact
- Confidentiality: High (Unauthorized access to network resources)
- Integrity: Medium/High (Potential configuration changes or deployment of malware)
- Availability: Medium (Can cause firewall crashes)
## Remediation
### Patches
Administrators must update to the following versions or later:
- Upgrade devices to **firmware version 7.3.0 or later** (This consolidated patch addresses the core vulnerability across applicable generations).
### Workarounds
1. **Rotate Passwords:** Immediately rotate passwords for all users with locally managed SSLVPN accounts, especially following patching.
2. **Enforce MFA:** Ensure Multi-Factor Authentication (MFA) is strictly enforced.
3. **Restrict Groups:** Mitigate risks associated with the **SSLVPN Default Groups** by reviewing and restricting their permissions.
4. **Restrict Portal Access:** Restrict access to the **Virtual Office Portal** to only trusted/internal networks.
## Detection
- Indicators of Compromise (IOCs): Increased malicious activity targeting SonicWall SSLVPN endpoints, specifically related to authentication attempts or unauthorized access post-initial breach observed in logs.
- Detection Methods and Tools: Monitor firewall and VPN logs for unusual authentications originating externally or unauthorized access attempts to the Virtual Office Portal/VPN tunnel. Reference vendor advisory SNWLID-2024-0015 for specific detection guidance.
## References
- Vendor Advisory: psirt dot global dot sonicwall dot com slash vuln-detail slash SNWLID-2024-0015
- General Reporting: hXXps://www.bleepingcomputer.com/news/security/akira-ransomware-exploiting-critical-sonicwall-sslvpn-bug-again/
- Analysis: hXXps://www.rapid7.com/blog/post/dr-akira-ransomware-group-utilizing-sonicwall-devices-for-initial-access/