More than 178,000 SonicWall firewalls are still vulnerable to years-old vulnerabilities, an infosec reseacher claims.
A study by Jon Williams, senior security engineer at Bishop Fox, this week highlights what he refers to as weapons-grade patch apathy from SonicWall customers, with the number of exploitable devices representing 76 percent of those that are public-facing.
With a focus on CVE-2022-22274 and CVE-2023-0656 specifically, Williams said 178,637 of 233,984 public-facing SonicWall next-generation firewall series 6 and 7 devices are vulnerable to one or both of these flaws.
Both vulnerabilities lead to denial of service, but the former is easily the most serious since it can also potentially lead to remote code execution, earning it a near-maximum 9.8 severity score for its exploitability and potential impact.
Even if attackers weren't able to achieve RCE, they could force a targeted device into maintenance mode, requiring an admin's intervention while leaving organizational disruption behind, said Williams.
Admins are urged to upgrade to the latest versions of NGFW firmware immediately, which include working patches that have long been available.
Fortunately for SonicWall customers, there is no evidence to suggest either of the vulnerabilities are under active exploitation, although a proof-of-concept exploit that works against both has been developed by SSD Labs and is available online, contrary to SonicWall's advisory.
That's not to say they won't ever be targeted though, especially now the attention has once again been drawn to the vulnerabilities and the attack surface.
Chinese cyberspies were spotted targeting unpatched SonicWall gear less than a year ago, and Charles Carmakal, CTO at Mandiant, said at the time that vulnerabilities in firewalls are typically among the most targeted.
As for why neither CVE-2022-22274 nor CVE-2023-0656 have been exploited in the wild so far, Sean Wright, head of application security at Featurespace, told The Register that he suspected it was likely due to a combination of factors.
CVE-2023-0656 only leads to a DoS, which is difficult for a cybercriminal to monetize, and he guessed achieving RCE with CVE-2022-22274 would likely be too difficult in comparison with the other lucrative and easy-to-exploit RCE vulnerabilities up for grabs.
The Register approached SonicWall for comment but it didn't respond.
This Cyber News was published on go.theregister.com. Publication date: Tue, 16 Jan 2024 17:43:03 +0000