CVE-2024-40766

Warnung

Medienbericht

EPSS 10%
Veröffentlicht 23.08.2024 07:15:03
Zuletzt bearbeitet 16.09.2024 19:48:30
Quelle PSIRT@sonicwall.com
Teams Watchlist Login
Unerledigt Login

An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash. This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.

Betroffene Produkte Warnungen 2 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Sonicwall ≫ Sonicos Version < 5.9.2.14-13o

Sonicwall ≫ Soho Version-

Sonicwall ≫ Sonicos Version < 6.5.2.8-2n

   Sonicwall ≫ Nssp 12400 Version-
   Sonicwall ≫ Nssp 12800 Version-
   Sonicwall ≫ Sm9800 Version-

Sonicwall ≫ Sonicos Version < 6.5.4.15.116n

   Sonicwall ≫ Nsa 2650 Version-
   Sonicwall ≫ Nsa 3600 Version-
   Sonicwall ≫ Nsa 3650 Version-
   Sonicwall ≫ Nsa 4600 Version-
   Sonicwall ≫ Nsa 4650 Version-
   Sonicwall ≫ Nsa 5600 Version-
   Sonicwall ≫ Nsa 5650 Version-
   Sonicwall ≫ Nsa 6600 Version-
   Sonicwall ≫ Nsa 6650 Version-
   Sonicwall ≫ Sm 9200 Version-
   Sonicwall ≫ Sm 9250 Version-
   Sonicwall ≫ Sm 9400 Version-
   Sonicwall ≫ Sm 9450 Version-
   Sonicwall ≫ Sm 9600 Version-
   Sonicwall ≫ Sm 9650 Version-
   Sonicwall ≫ Soho 250 Version-
   Sonicwall ≫ Soho 250w Version-
   Sonicwall ≫ Sohow Version-
   Sonicwall ≫ Tz 300 Version-
   Sonicwall ≫ Tz 300p Version-
   Sonicwall ≫ Tz 300w Version-
   Sonicwall ≫ Tz 350 Version-
   Sonicwall ≫ Tz 350w Version-
   Sonicwall ≫ Tz 400 Version-
   Sonicwall ≫ Tz 400w Version-
   Sonicwall ≫ Tz 500 Version-
   Sonicwall ≫ Tz 500w Version-
   Sonicwall ≫ Tz 600 Version-
   Sonicwall ≫ Tz 600p Version-

Sonicwall ≫ Sonicos Version <= 7.0.1-5035

   Sonicwall ≫ Nsa 2700 Version-
   Sonicwall ≫ Nsa 3700 Version-
   Sonicwall ≫ Nsa 4700 Version-
   Sonicwall ≫ Nsa 5700 Version-
   Sonicwall ≫ Nsa 6700 Version-
   Sonicwall ≫ Nssp 10700 Version-
   Sonicwall ≫ Nssp 11700 Version-
   Sonicwall ≫ Nssp 13700 Version-
   Sonicwall ≫ Tz270 Version-
   Sonicwall ≫ Tz270w Version-
   Sonicwall ≫ Tz370 Version-
   Sonicwall ≫ Tz370w Version-
   Sonicwall ≫ Tz470 Version-
   Sonicwall ≫ Tz470w Version-
   Sonicwall ≫ Tz570 Version-
   Sonicwall ≫ Tz570p Version-
   Sonicwall ≫ Tz570w Version-
   Sonicwall ≫ Tz670 Version-

09.09.2024: CISA Known Exploited Vulnerabilities (KEV) Catalog

SonicWall SonicOS Improper Access Control Vulnerability

Schwachstelle

SonicWall SonicOS contains an improper access control vulnerability that could lead to unauthorized resource access and, under certain conditions, may cause the firewall to crash.

Beschreibung

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

05.08.2025: CERT.at Warnung

https://www.cert.at/de/warnungen/2025/8/erhohte-bedrohungsaktivitat-gegen-sonicwall-gen-7-firewalls-mit-sslvpn-sofortmassnahmen-empfohlen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	10%	0.928

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.3	3.9	4.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://www.heise.de/news/Jetzt-patchen-Erneut-Attacken-auf-SonicWall-Firewalls-beobachtet-10642110.html

Medienbericht

heise Security

https://www.heise.de/news/Attacken-auf-SonicWall-Firewalls-Akira-Ransomware-trotzt-MFA-10679086.html

Medienbericht

heise Security

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-40766

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-40766

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-40766

EUVD