SonicWall next-generation firewall (NGFW) devices [2] [3] [6] [7] [8], specifically series 6 and 7, have been found to have exposed online management interfaces, posing a significant security risk [7]. These devices are vulnerable to denial-of-service (DoS) attacks and potential remote code execution (RCE) [1] [2] [7].
Description
Two DoS security flaws [2] [7], known as CVE-2022-22274 and CVE-2023-0656 [2] [3] [6] [7] [8], have been identified as the main vulnerabilities [7]. Research conducted by Bishop Fox and WatchTowr Labs revealed that over 178,000 SonicWall firewalls with exposed management interfaces are vulnerable to these issues. They found that 76% of the devices were vulnerable to at least one of the bugs [1], while 62% were vulnerable to both [1].
The impact of a widespread DoS attack could be severe [1] [8], as the devices require administrative action to restore normal functionality after three crashes [1]. While remote code execution is possible [1], it is currently considered unlikely due to the challenges involved in exploiting the vulnerabilities [1].
To mitigate the risk of a DoS attack [6], network administrators are urged to check for vulnerable devices and update to the latest firmware [6], which provides protection against both vulnerabilities. It is also recommended to ensure that the management interface is not exposed to the internet to further mitigate these threats [5]. This is particularly important considering SonicWall’s large customer base, which includes government agencies and global enterprises [7].
The vulnerabilities were discovered by Bishop Fox security experts, and exploitation is possible if attackers know the firmware running on the SonicWall firewall [4]. However, a patch is already available to address these vulnerabilities, making it crucial for network administrators to promptly update their devices.
Conclusion
SonicWall NGFW appliances’ management interfaces should not be exposed online [2], and upgrading to the latest firmware versions is advised to protect against the vulnerabilities. The vulnerabilities, tracked as CVE-2022-22274 and CVE-2023-0656 [3] [6] [7] [8], have not been exploited in the wild [3], but a proof-of-concept exploit for CVE-2023-0656 has been publicly released [3] [8].
The impact of a large-scale attack could be severe [1] [3] [8], as the SonicOS restarts after a crash but requires administrative action after three crashes in a short period of time [3]. The latest firmware update protects against both vulnerabilities [3] [6] [8], and administrators are advised to remove the web management interface from public access and upgrade to the latest available version [3].
While a denial of service is currently possible [3], remote code execution would require additional research and overcoming challenges such as PIE [3], ASLR [3], and stack canaries [3]. The likelihood of attackers leveraging RCE is still low due to the difficulty of determining the firmware and hardware versions of a target SonicWall firewall remotely [3].
References
[1] https://www.scmagazine.com/news/sonicwall-api-opens-178k-firewalls-to-attack
[2] https://ciso2ciso.com/over-178k-sonicwall-firewalls-vulnerable-to-dos-potential-rce-attacks-source-www-bleepingcomputer-com/
[3] https://securityaffairs.com/157524/hacking/vulnerable-sonicwall-ngfw-exposed-online.html
[4] https://www.techzine.eu/news/security/115370/more-than-178000-sonicwall-firewalls-vulnerable-to-simple-dos-attack/
[5] https://thehackernews.com/2024/01/alert-over-178000-sonicwall-firewalls.html
[6] https://www.darkreading.com/vulnerabilities-threats/78k-sonicwall-firewalls-vulnerable-dos-rce-attacks
[7] https://www.blackhatethicalhacking.com/news/over-178000-sonicwall-firewalls-exposed-to-dos-and-remote-code-execution-threats/
[8] https://bishopfox.com/blog/its-2024-and-over-178-000-sonicwall-firewalls-are-publicly-exploitable
