CVE-2024-37386
📋 TL;DR
This vulnerability in Stormshield Network Security (SNS) allows attackers to bypass secure boot protections and restart devices in single-user mode, potentially gaining administrative access. It affects SNS versions 4.0.0 through 4.3.25, 4.4.0 through 4.7.5, and 4.8.0. Organizations using these vulnerable versions of Stormshield firewalls are at risk.
💻 Affected Systems
- Stormshield Network Security (SNS)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain physical or administrative access to the firewall, bypass secure boot, and compromise the entire device to intercept traffic, install persistent malware, or disable security controls.
Likely Case
Privileged attackers with physical access or administrative credentials bypass secure boot to gain deeper system access for privilege escalation or persistence.
If Mitigated
With proper physical security and administrative access controls, risk is limited to authorized administrators misusing the vulnerability.
🎯 Exploit Status
Exploitation requires physical access to the device or administrative credentials to perform the manipulation. No public exploit code is currently available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.3.27, 4.7.6, and 4.8.2
Vendor Advisory: https://advisories.stormshield.eu/2024-017
Restart Required: Yes
Instructions:
1. Identify your SNS version using the version check command. 2. Download the appropriate fixed version from Stormshield support portal. 3. Apply the update through the SNS management interface. 4. Reboot the device to complete the installation.
🔧 Temporary Workarounds
Physical Security Controls
allRestrict physical access to Stormshield devices to prevent attackers from manipulating hardware.
Administrative Access Restrictions
allLimit administrative credentials to trusted personnel only and implement multi-factor authentication.
🧯 If You Can't Patch
- Implement strict physical security controls around firewall devices
- Restrict administrative access and monitor for unauthorized configuration changes
🔍 How to Verify
Check if Vulnerable:
Check the SNS version against affected ranges. If version is between 4.0.0-4.3.25, 4.4.0-4.7.5, or exactly 4.8.0, the device is vulnerable.Check Version:
ssh admin@firewall-ip 'show version' or check via SNS web interface under System > InformationVerify Fix Applied:
After patching, verify the version is 4.3.27, 4.7.6, or 4.8.2 or higher.📡 Detection & Monitoring
Log Indicators:
- Unexpected reboots into single-user mode
- Secure boot violation alerts
- Unauthorized configuration changes to boot settings
Network Indicators:
- Unusual firewall behavior or rule changes
- Traffic inspection bypass
SIEM Query:
source="stormshield" AND (event_type="reboot" OR event_type="boot_mode_change")