SonicBoom, From Stolen Tokens to Remote Shells - SonicWall SMA (CVE-2023-44221, CVE-2024-38475) labs.watchtowr.com/sonicboom…

Another day, another edge device being targeted - it’s a typical Thursday!

In today’s blog post, we’re excited to share our previously private analysis of the now exploited in-the-wild N-day vulnerabilities affecting SonicWall’s SMA100 appliance. Over the last few months, our client base has fed us rumours of in-the-wild exploitation of SonicWall systems, and thus, this topic has had our attention for a while.

Specifically, today, we’re going to be analyzing and reproducing CVE-2024-38475 - Apache HTTP Pre-Authentication Arbitrary File Read Discovered by Orange Tsai. Although this is a CVE attached to the Apache HTTP Server, it is important to note that due to how CVEs are now assigned, a seperate CVE will not be assigned for SonicWall’s usage of the vulnerable version. This makes the situation confusing for those responding to CISA’s KEV listing - CISA is referring to the two vulnerabilities in combination being used to attack SonicWall devices.