Network administrators warned of vulnerabilities in SonicWall series 6 and 7 firewalls. Unauthenticated exploits could lead to severe consequences. (IT World Canada)
Network administrators using SonicWall firewalls, specifically the series 6 and series 7 models, have received a warning to take precautionary measures against potential compromises, according to cybersecurity researchers at Bishop Fox, an Arizona-based cybersecurity company. The concern revolves around unauthenticated denial-of-service vulnerabilities that were disclosed in 2022 and 2023, both of which have received patches.
While there haven't been any reported exploits in the wild for the vulnerabilities disclosed in 2022 and 2022, researchers note that a proof-of-concept exploit for the 2023 vulnerability has been publicly released. The researchers highlight that the two issues share a fundamental similarity but are exploitable at different HTTP URI paths due to the reuse of a vulnerable code pattern.
The identified SonicWall firewalls at risk are those with exposed management interfaces to the internet. The potential impact of a widespread attack is deemed severe by the researchers. In the default configuration, SonicOS restarts after a crash, but after three crashes in a short timeframe, it enters maintenance mode, requiring administrative action for restoration. Upgrading to the latest firmware is crucial for protection against both vulnerabilities, and administrators are advised to ensure that the management interface is not exposed to the internet.
The two vulnerabilities in question are CVE-2022-22274, an unauthenticated buffer overflow affecting the web management interfaces, and CVE-2023-0656, a stack-based buffer overflow vulnerability in SonicOS, capable of causing Denial of Service (DoS) by a remote unauthenticated attacker. This could result in the impacted firewall crashing.
Upon examining the vulnerabilities, Bishop Fox researchers discovered that CVE-2022-22274 and CVE-2023-0656 share the same vulnerable code pattern but are located in different places, making exploitation relatively straightforward. Administrators are strongly encouraged to assess if their devices are exploitable and, if so, detach the web management interface from the internet. Additionally, upgrading the firmware to the latest version is emphasized as a crucial step.
The researchers point out that, currently, an attacker can easily cause a denial of service using the exploit. While the potential for remote code execution exists, SonicWall advisories note that devising an exploit for arbitrary commands may pose challenges and require further research. Furthermore, determining the specific firmware and hardware versions of a target presents a hurdle for attackers, as there is currently no known technique for remotely fingerprinting SonicWall firewalls. Despite this, the researchers stress the importance of taking appropriate precautions to secure devices and prevent potential DoS attacks.
