Over 178K SonicWall Firewalls Vulnerable to DoS, Potential RCE Attacks

A significant security concern has been raised for organizations using SonicWall next-generation firewalls (NGFW). Here’s what you need to know.  

Tell me more about the SonicWall firewall vulnerability 

Security experts have identified that over 178,000 SonicWall firewalls with their management interfaces accessible online, specifically series 6 and series 7, are at risk of two critical vulnerabilities. These vulnerabilities could lead to denial-of-service (DoS) attacks and potentially allow remote code execution (RCE). 

The vulnerabilities in question are: 

  • CVE-2022-22274 (CVSS score: 9.4): This is a stack-based buffer overflow vulnerability in SonicOS that can be triggered via an HTTP request. A remote, unauthenticated attacker could exploit this to cause a DoS attack or potentially execute code on the firewall. 
  • CVE-2023-0656 (CVSS score: 7.5): Similar to the first bullet, this is also a stack-based buffer overflow vulnerability in SonicOS that could lead to a DoS attack, potentially crashing the system. 

Despite being disclosed a year apart, these vulnerabilities are fundamentally similar, however, they require different HTTP URI paths for exploitation. SonicWall released patches for both vulnerabilities in March 2022 and March 2023, respectively.  

The SSD Secure Disclosure team has even published a proof-of-concept (PoC) for CVE-2023-0656, which demonstrates the exploit. Such PoCs often serve as a blueprint for threat actors to develop and deploy their own exploits.  

What is Nuspire doing?  

Nuspire, in response to these emerging threats, actively conducts threat hunts within client environments to detect signs of compromise. This proactive approach aims to identify and neutralize potential vulnerabilities before threat actors can exploit them. 

How should I protect myself from the SonicWall firewall vulnerability?  

The potential impact of these vulnerabilities being exploited is severe. SonicOS is configured by default to restart after a crash. However, if the system crashes three times in quick succession, it enters maintenance mode, necessitating administrative intervention to resume normal operations. 

To protect your organization from these threats, it is crucial to: 

  • Update your firewall: Ensure that your SonicWall device is running the latest version of the software, which includes patches for these vulnerabilities. 
  • Restrict management access: It is advisable to disable internet access to the management portal or limit it to trusted IP addresses only. 

By taking these steps, you can significantly reduce the risk of falling victim to these vulnerabilities and maintain the integrity of your network security. 

Have you registered for our next event?