SonicWall firewall admins urged to update to prevent devices from being compromised

Share post:

Network administrators with two models of SonicWall firewalls in their environments are being urged take action to prevent the devices from possibly being compromised.

The warning comes from researchers at Bishop Fox, an Arizona-based cybersecurity company, which says over 178,000 series 6 and series 7 next-generation firewalls could be in danger.

The problem is in unauthenticated denial-of-service vulnerabilities announced last year and in 2022, patches for which have already been issued. No exploitation has been seen in the wild since.

However, the researchers say a proof-of-concept exploit for the 2023 vulnerability has publicly been released.

“Our research found that the two issues are fundamentally the same but exploitable at different HTTP URI paths due to reuse of a vulnerable code pattern,” the researchers said Monday.

SonicWall firewalls at risk are ones with management interfaces exposed to the internet, the report says.

“The impact of a widespread attack could be severe,” say the researchers. “In its default configuration, SonicOS restarts after a crash, but after three crashes in a short period of time it boots into maintenance mode and requires administrative action to restore normal functionality. The latest available firmware protects against both vulnerabilities, so be sure to upgrade immediately (and make sure the management interface isn’t exposed to the internet).

The two vulnerabilities are CVE-2022-22274, an unauthenticated buffer overflow affecting the firewalls’ web management interfaces, and CVE-2023-0656, a stack-based buffer overflow vulnerability in the SonicOS that could allow a remote unauthenticated attacker to cause Denial of Service (DoS), which could then cause an impacted firewall to crash.

Looking into the bugs, the Bishop Fox researchers found that CVE-2022-22274 was caused by the same vulnerable code pattern as  CVE-2023-0656 — but in a different place —  and exploitable at different HTTP URI paths. That makes exploitation easy.

Admins are urged to see if they have an exploitable device. If so, the web management interface should be detached from the internet, after which the firmware should be upgraded to the latest version.

“At this point in time, an attacker can easily cause a denial of service using this exploit,” note the researchers, “but as SonicWall noted in its advisories, a potential for remote code execution exists. While it may be possible to devise an exploit that can execute arbitrary commands, additional research is needed to overcome several challenges …

“Perhaps a bigger challenge for an attacker is determining in advance what firmware and hardware versions a particular target is using, as the exploit must be tailored to these parameters. Since no technique is currently known for remotely fingerprinting SonicWall firewalls, the likelihood of attackers leveraging RCE is, in our estimation, still low. Regardless, taking the appropriate precautions to secure your devices will ensure they don’t fall victim to a potentially painful DoS attack.”

The post SonicWall firewall admins urged to update to prevent devices from being compromised first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

Security research team claims to have helped avert a major supply chain attack

JFrog Security Research team continuously scans public repositories such as Docker Hub, NPM, and PyPI to identify malicious...

Phishing attacks on state and local governments surge by 360%

Phishing attacks targeting state and local governments have surged by 360% between May 2023 and May 2024, according...

What is Ticketmaster saying to its customers?

Here's the letter that has been sent out out to Ticketmaster clients that a reader sent to me....

Cyber Security Today, July 8, 2024 – New ransomware group discovered, and summer podcast break starts

A new ransomware group is discovered. Welcome to Cyber Security Today. It's Monday July 8th, 2024. I'm Howard Solomon,...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways