Network administrators with two models of SonicWall firewalls in their environments are being urged take action to prevent the devices from possibly being compromised.
The warning comes from researchers at Bishop Fox, an Arizona-based cybersecurity company, which says over 178,000 series 6 and series 7 next-generation firewalls could be in danger.
The problem is in unauthenticated denial-of-service vulnerabilities announced last year and in 2022, patches for which have already been issued. No exploitation has been seen in the wild since.
However, the researchers say a proof-of-concept exploit for the 2023 vulnerability has publicly been released.
“Our research found that the two issues are fundamentally the same but exploitable at different HTTP URI paths due to reuse of a vulnerable code pattern,” the researchers said Monday.
SonicWall firewalls at risk are ones with management interfaces exposed to the internet, the report says.
“The impact of a widespread attack could be severe,” say the researchers. “In its default configuration, SonicOS restarts after a crash, but after three crashes in a short period of time it boots into maintenance mode and requires administrative action to restore normal functionality. The latest available firmware protects against both vulnerabilities, so be sure to upgrade immediately (and make sure the management interface isn’t exposed to the internet).
The two vulnerabilities are CVE-2022-22274, an unauthenticated buffer overflow affecting the firewalls’ web management interfaces, and CVE-2023-0656, a stack-based buffer overflow vulnerability in the SonicOS that could allow a remote unauthenticated attacker to cause Denial of Service (DoS), which could then cause an impacted firewall to crash.
Looking into the bugs, the Bishop Fox researchers found that CVE-2022-22274 was caused by the same vulnerable code pattern as CVE-2023-0656 — but in a different place — and exploitable at different HTTP URI paths. That makes exploitation easy.
Admins are urged to see if they have an exploitable device. If so, the web management interface should be detached from the internet, after which the firmware should be upgraded to the latest version.
“At this point in time, an attacker can easily cause a denial of service using this exploit,” note the researchers, “but as SonicWall noted in its advisories, a potential for remote code execution exists. While it may be possible to devise an exploit that can execute arbitrary commands, additional research is needed to overcome several challenges …
“Perhaps a bigger challenge for an attacker is determining in advance what firmware and hardware versions a particular target is using, as the exploit must be tailored to these parameters. Since no technique is currently known for remotely fingerprinting SonicWall firewalls, the likelihood of attackers leveraging RCE is, in our estimation, still low. Regardless, taking the appropriate precautions to secure your devices will ensure they don’t fall victim to a potentially painful DoS attack.”
