New SonicBoom Attack Chain Bypasses Authentication to Grant Admin Access

SonicWall Secure Mobile Access (SMA) appliances are under active attack due to two critical vulnerabilities- CVE-2023-44221 (post-authentication command injection) and CVE-2024-38475(pre-authentication arbitrary file read)-being chained to bypass security controls.

These flaws, now listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, allow attackers to hijack sessions, execute commands, and gain administrative control over SMA 200, 210, 400, 410, and 500v devices.

Technical Breakdown of the Exploit Chain

1. CVE-2024-38475: Apache mod_rewrite Arbitrary File Read
Discovered by Orange Tsai, this critical vulnerability (CVSS 9.8) in Apache HTTP Server’s mod_rewrite The module enables unauthenticated attackers to read arbitrary files.

SonicWall’s SMA appliances use a modified Apache configuration vulnerable to Filename Confusion and DocumentRoot Confusion:

• Filename Confusion: By appending %3F (URL-encoded ?) to a request, attackers truncate path suffixes. For example: textGET /mnt/ram/var/log/httpd.log%3f.1.1.1.1a-1.css HTTP/1.1 Host: vulnerable-host This bypasses path restrictions, exposing files like /tmp/temp.db, an SQLite database storing active admin session tokens.
• DocumentRoot Confusion: Rewrite rules in SonicWall httpd.conf allow accessing files outside the intended directory. Attackers use crafted CSS requests to retrieve sensitive system files, enabling session hijacking.

2. CVE-2023-44221: Post-Authentication Command Injection
After stealing a valid admin session via CVE-2024-38475, attackers exploit this high-severity flaw (CVSS 7.2) in the SMA’s SSL-VPN diagnostics interface. The shellScriptEncode function fails to sanitize input length, leading to buffer overflow and command execution as the nobody user:

cvoid shellScriptEncode(_WORD *a1, char *a2) {
  // ... (escapes $, ", \, ` but lacks buffer limits)
}

By flooding the target parameter with quotes, attackers overflow the escaped_cmd buffer, injecting commands into the traceroute6 utility:

textPOST /spog/diagnostics HTTP/1.1
Host: vulnerable-host
...
tool=TRACEROUTE6_CMD&target=;whoami; """"""""... (280 quotes)

This results in arbitrary command execution, enabling further network exploitation.

Impact and Mitigation

Affected Devices:

• SMA 200, 210, 400, 410, 500v (firmware versions below 10.2.1.14-75sv).

Exploitation Workflow:

1. Use CVE-2024-38475 to leak /tmp/temp.db and extract admin session cookies.
2. Hijack the session and trigger CVE-2023-44221 to execute commands.
3. Establish persistence or move laterally within the network.

Patches and Recommendations:

• Upgrade to firmware 10.2.1.14-75sv or later.
• Monitor for unauthorized logins and unexpected nobody user activity.
• Review CISA’s advisory (binding federal agencies to patch by May 22, 2025).

The chaining of these vulnerabilities underscores the risks of unpatched edge devices.

With WatchTower Labs releasing a proof-of-concept exploit, defenders must prioritize patch deployment and scrutinize Apache mod_rewrite configurations.

SonicWall’s delayed CVE assignment for their Apache fork highlights the need for transparent vendor disclosures. Organizations using SMA appliances should assume compromise and conduct forensic reviews immediately.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates