Over 178,000 SonicWall Firewalls Exposed to Potential Hacks Due to Unpatched Vulnerabilities

January 15, 2024

Two unpatched vulnerabilities, tracked as CVE-2022-22274 and CVE-2023-0656, have been discovered in SonicWall next-generation firewall (NGFW) series 6 and 7 devices, potentially exposing over 178,000 of these firewalls online to hacking attempts. These vulnerabilities can cause unauthenticated denial-of-service and could possibly lead to remote code execution.

Despite a proof-of-concept exploit for the flaw CVE-2023-0656 being publicly available, SonicWall has reported no known instances of these vulnerabilities being exploited in the wild.

The vulnerabilities were discovered by researchers from Bishop Fox, who used data from BinaryEdge to identify SonicWall firewalls with exposed management interfaces on the internet. The researchers found that out of 233,984 Internet-facing firewalls, 178,637 (or 76%) were vulnerable to one or both of the identified issues.

Notably, the researchers found that the two vulnerabilities are essentially the same, but can be exploited at different HTTP URI paths due to the repeated use of a vulnerable code pattern. The researchers also created a test script that can identify whether a device is vulnerable without causing it to crash, indicating that a large-scale attack could have significant impact.

As stated in the advisory published by Bishop Fox, “In its default configuration, SonicOS restarts after a crash, but after three crashes in a short period of time it boots into maintenance mode and requires administrative action to restore normal functionality.” The advisory also urges users to upgrade to the latest firmware, which offers protection against both vulnerabilities, and to ensure that the management interface is not exposed to the internet.

Administrators of vulnerable devices are advised to remove the web management interface from public access and to upgrade the firmware to the most recent version available.

The report concludes by acknowledging the potential for remote code execution, stating that “At this point in time, an attacker can easily cause a denial of service using this exploit, but as SonicWall noted in its advisories, a potential for remote code execution exists. While it may be possible to devise an exploit that can execute arbitrary commands, additional research is needed to overcome several challenges, including PIE, ASLR, and stack canaries.” However, the report also notes that the likelihood of attackers leveraging remote code execution is still low, as it would require knowledge of the target's specific firmware and hardware versions, and no known technique currently exists for remotely fingerprinting SonicWall firewalls.

Latest News

• Phemedrone Malware Campaign Exploits Windows SmartScreen Bypass Vulnerability
• Over 7,100 WordPress Sites Compromised by Balada Injector Malware Exploiting Plugin Vulnerability
• Denmark's Energy Sector Cyber Attacks Not Executed by Russia-Linked APT, Reveals Forescout
• Akira Ransomware Attacks Escalate in Finland: NCSC-FI Reports
• GitLab Issues Urgent Security Updates to Address Critical Vulnerabilities