Over 178,000 SonicWall next-generation firewalls (NGFW) are at risk of denial-of-service (DoS) and potential remote code execution (RCE) attacks due to two identified security flaws, CVE-2022-22274 and CVE-2023-0656. Security researchers from Bishop Fox discovered the vulnerabilities, both caused by the reuse of the same vulnerable code pattern. Scanning SonicWall firewalls with exposed internet-facing management interfaces, the researchers found that 76% of them are susceptible to one or both of these issues. Even if remote code execution is not achieved, attackers could force the appliances into maintenance mode, disrupting normal functionality and potentially impacting VPN access to corporate networks.
While SonicWall’s Product Security Incident Response Team (PSIRT) has no knowledge of the vulnerabilities being exploited in the wild, a proof-of-concept (PoC) exploit for CVE-2022-22274 is available online. The vulnerability was identified using a technical writeup by SSD Labs, which outlined two URI paths triggering the bug. Administrators are strongly advised to ensure that the management interface of SonicWall NGFW appliances is not exposed online and to promptly upgrade to the latest firmware versions. SonicWall’s history includes previous cyber-espionage attacks and ransomware incidents, making the mitigation of these vulnerabilities crucial for over 178,000 affected devices.
The exposure of more than 178,000 SonicWall NGFW devices highlights the critical nature of securing internet-facing infrastructure, with potential risks of DoS and remote code execution. The vulnerabilities were discovered to be present in a significant portion of scanned devices, emphasizing the urgent need for administrators to take preventive measures. Despite SonicWall’s assurance that there is no known exploitation in the wild, the existence of a PoC exploit raises concerns about the potential for malicious actors to exploit these weaknesses. System administrators are urged to follow best practices, including securing management interfaces and applying firmware updates promptly, to mitigate the identified security risks.
