Over 178,000 SonicWall firewalls for enterprises still vulnerable to DOS, RCE attacks

Nearly 180,000 SonicWall firewalls remain vulnerable to an exploit first discovered in April 2022, despite the availability of a patch to manage the issue.

Bishop Fox researchers wrote in a recent blog post that of over 234,000 SonicWall series 6 and 7 firewalls with management interfaces improperly exposed to the public internet, over 178,000 remained affected against two unauthenticated denial-of-service (DOS) vulnerabilities.

The two issues, CVE-2022-22274 and CVE-2023-0656, were discovered in March 2022 and April 2023 respectively. However, the security firm wrote that they are “fundamentally the same but exploitable at different HTTP URI paths” due to reuse of code, could potentially allow attackers to crash the devices or remotely execute code.

Bishop Fox Senior Security Engineer Jon Williams told IT Brew the devices in question are usually deployed to protect the perimeter of enterprises.

“For a small to medium business, you might have one or two of these devices protecting their attack surface,” Williams said. “And a large enterprise could have many of them, they tend to work in tandem to protect internal resources…and sit on the perimeter.”

Williams explained the vulnerabilities derive from a misuse of a function.

“The developers use the function call twice in a row, and took the output from the first call and used it as a parameter for the second call,” Williams said. “In doing this, they made a mistake, they assumed that the value returned from the first call would always be within a safe parameter.”

An attacker with access to the management interface could change the input of the second value to be larger than the given parameters. The resulting buffer overflow could trip stack protections and crash the whole service, or allow the attacker to write arbitrary data onto the stack.

In the blog post, Williams described the potential impact of the vulnerabilities as “severe.” The researchers used a script to detect the SonicWall firewalls improperly configured to allow access to the admin panel via the public internet, of which 76% were vulnerable to at least one of the two methods.

In the event of a DOS attack, for example, a firewall of the affected type is designed to only crash and reboot three times before it “boots into maintenance mode and requires administrative action to restore normal functionality.” Remote code execution is a possibility, although according to Bishop Fox, additional research would be required to do so.

A firmware update is available to address both vulnerabilities, meaning many operators of SonicWall firewalls have failed to keep their devices up to date. There are no reports that threat actors are exploiting the flaws yet, according to Bishop Fox.

Configuration errors and failure to patch are perennial problems for all manner of IT equipment, though Williams pointed out firewalls are particularly important to keep locked down and up to date.

“The impact is worse for devices like this, because of their positioning on the network, because they do tend to sit at the perimeter, they do tend to be publicly accessible by design,” Williams told IT Brew.

“In this case, you had a management interface—even though the device may have some public facing services, the management side definitely should not be,” he added.

In a statement to IT Brew, SonicWall spokesperson Bret Fitzgerald confirmed the vulnerabilities were “not new,” and the company has reached out “several times over the past year” to operators of potentially affected units.

“After reviewing the case logs, SonicWall has seen no active exploitation of the affected firmware in the wild, and it’s likely that the methods used to collect populations affected also captured units in our global SonicLabs sensor population,” Fitzgerald added.