CVE-2023-5970
π TL;DR
This vulnerability allows a remote authenticated attacker to bypass multi-factor authentication (MFA) on SonicWall SMA100 SSL-VPN virtual office portals by creating duplicate external domain users using accent characters. Organizations using affected SonicWall SMA100 devices with external domain authentication and MFA enabled are at risk.
π» Affected Systems
- SonicWall SMA100 Series
π¦ What is this software?
β οΈ Risk & Real-World Impact
Worst Case
Attackers gain unauthorized access to VPN-protected internal networks, potentially leading to data exfiltration, lateral movement, and full network compromise.
Likely Case
Attackers bypass MFA to access VPN resources as legitimate users, enabling credential theft, privilege escalation, and unauthorized data access.
If Mitigated
With proper patching and monitoring, impact is limited to attempted but unsuccessful authentication bypass attempts.
π― Exploit Status
Exploitation requires authenticated access to the VPN portal. Attackers can leverage existing compromised credentials or social engineering.
π οΈ Fix & Mitigation
β Official Fix
Patch Version: 12.4.4-10179 or later
Vendor Advisory: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0018
Restart Required: Yes
Instructions:
1. Download firmware 12.4.4-10179 or later from MySonicWall. 2. Backup current configuration. 3. Upload and install firmware via SMA100 web interface. 4. Reboot device after installation.
π§ Temporary Workarounds
Disable External Domain Authentication
allTemporarily switch to local authentication or RADIUS/LDAP without external domain integration.
Enforce Strict Username Policies
allConfigure domain policies to reject usernames with accent characters or special symbols.
π§― If You Can't Patch
- Implement network segmentation to isolate VPN traffic and limit lateral movement.
- Enable detailed authentication logging and monitor for duplicate user creation attempts.
π How to Verify
Check if Vulnerable:
Check SMA100 firmware version via web interface: System > Status > Firmware Version. If version is below 12.4.4-10179, device is vulnerable.Check Version:
ssh admin@<sma_ip> show versionVerify Fix Applied:
After patching, verify firmware version is 12.4.4-10179 or higher. Test MFA functionality with external domain users containing accent characters.π‘ Detection & Monitoring
Log Indicators:
- Multiple authentication attempts with similar usernames differing by accent characters
- Successful logins from users with accent characters after MFA bypass
Network Indicators:
- Unusual VPN connection patterns from external IPs
- Increased authentication traffic to SMA100 portal
SIEM Query:
source="sma100" AND (event_type="authentication" AND (user="*[ÑéΓΓ³ΓΊ]*" OR user="*[à èìòù]*"))