CVE-2024-40766

Sept. 16, 2024, 7:48 p.m.

9.8
Critical

Description

An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash. This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.

Product(s) Impacted

Vendor Product Versions
Sonicwall
  • Sonicos
  • Soho
  • Nssp 12400
  • Nssp 12800
  • Sm9800
  • Nsa 2650
  • Nsa 3600
  • Nsa 3650
  • Nsa 4600
  • Nsa 4650
  • Nsa 5600
  • Nsa 5650
  • Nsa 6600
  • Nsa 6650
  • Sm 9200
  • Sm 9250
  • Sm 9400
  • Sm 9450
  • Sm 9600
  • Sm 9650
  • Soho 250
  • Soho 250w
  • Sohow
  • Tz 300
  • Tz 300p
  • Tz 300w
  • Tz 350
  • Tz 350w
  • Tz 400
  • Tz 400w
  • Tz 500
  • Tz 500w
  • Tz 600
  • Tz 600p
  • Nsa 2700
  • Nsa 3700
  • Nsa 4700
  • Nsa 5700
  • Nsa 6700
  • Nssp 10700
  • Nssp 11700
  • Nssp 13700
  • Tz270
  • Tz270w
  • Tz370
  • Tz370w
  • Tz470
  • Tz470w
  • Tz570
  • Tz570p
  • Tz570w
  • Tz670
  • *
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -
  • -

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-284
Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
o sonicwall sonicos / / / / / / / /
h sonicwall soho - / / / / / / /
o sonicwall sonicos / / / / / / / /
h sonicwall nssp_12400 - / / / / / / /
h sonicwall nssp_12800 - / / / / / / /
h sonicwall sm9800 - / / / / / / /
o sonicwall sonicos / / / / / / / /
h sonicwall nsa_2650 - / / / / / / /
h sonicwall nsa_3600 - / / / / / / /
h sonicwall nsa_3650 - / / / / / / /
h sonicwall nsa_4600 - / / / / / / /
h sonicwall nsa_4650 - / / / / / / /
h sonicwall nsa_5600 - / / / / / / /
h sonicwall nsa_5650 - / / / / / / /
h sonicwall nsa_6600 - / / / / / / /
h sonicwall nsa_6650 - / / / / / / /
h sonicwall sm_9200 - / / / / / / /
h sonicwall sm_9250 - / / / / / / /
h sonicwall sm_9400 - / / / / / / /
h sonicwall sm_9450 - / / / / / / /
h sonicwall sm_9600 - / / / / / / /
h sonicwall sm_9650 - / / / / / / /
h sonicwall soho_250 - / / / / / / /
h sonicwall soho_250w - / / / / / / /
h sonicwall sohow - / / / / / / /
h sonicwall tz_300 - / / / / / / /
h sonicwall tz_300p - / / / / / / /
h sonicwall tz_300w - / / / / / / /
h sonicwall tz_350 - / / / / / / /
h sonicwall tz_350w - / / / / / / /
h sonicwall tz_400 - / / / / / / /
h sonicwall tz_400w - / / / / / / /
h sonicwall tz_500 - / / / / / / /
h sonicwall tz_500w - / / / / / / /
h sonicwall tz_600 - / / / / / / /
h sonicwall tz_600p - / / / / / / /
o sonicwall sonicos / / / / / / / /
h sonicwall nsa_2700 - / / / / / / /
h sonicwall nsa_3700 - / / / / / / /
h sonicwall nsa_4700 - / / / / / / /
h sonicwall nsa_5700 - / / / / / / /
h sonicwall nsa_6700 - / / / / / / /
h sonicwall nssp_10700 - / / / / / / /
h sonicwall nssp_11700 - / / / / / / /
h sonicwall nssp_13700 - / / / / / / /
h sonicwall tz270 - / / / / / / /
h sonicwall tz270w - / / / / / / /
h sonicwall tz370 - / / / / / / /
h sonicwall tz370w - / / / / / / /
h sonicwall tz470 - / / / / / / /
h sonicwall tz470w - / / / / / / /
h sonicwall tz570 - / / / / / / /
h sonicwall tz570p - / / / / / / /
h sonicwall tz570w - / / / / / / /
h sonicwall tz670 - / / / / / / /

References

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0015

Tags

CWE-284
PSIRT@sonicwall.com
NVD-CWE-noinfo
2024-08-23
CVE-2024-40766

CVSS Score

9.8 / 10

CVSS Data

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH
    • View Vector String

    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Date

  • Published: Aug. 23, 2024, 7:15 a.m.
  • Last Modified: Sept. 16, 2024, 7:48 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

PSIRT@sonicwall.com

Relations

Here is the list of observables linked to the vulnerability CVE-2024-40766 using threat intelligence.

  • FoggyWeb - S0661
  • Akira
  • Megazord
  • Akira

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.