Two unauthenticated denial-of-service vulnerabilities are threatening the security of SonicWall next-generation firewall devices, exposing more than 178,000 of them to both DoS as well as remote code execution attacks.
SonicWall products affected are series 6 and 7 firewalls.
BishopFox researchers used BinaryEdge source data to scan SonicWall firewalls with management interfaces exposed to the Internet and found that out of 233,984 devices discovered, 178,637 are vulnerable to one or both issues.
Though so far there are no reports that either flaw has been exploited in the wild, there is exploit code available for the more recently discovered bug, and BishopFox as well developed its own exploit code for the flaws.
Fortunately for organizations that use the affected SonicWall devices, the latest available firmware protects against both vulnerabilities, and an update can mitigate risk, Williams said.
A Tale of Two Unauthenticated Flaws Of the two bugs, CVE-2022-22274 - an unauthenticated buffer overflow affecting NGFW web management interfaces discovered in March 2022 - was rated as more dangerous, earning a critical rating of 9.4 on the CVSS versus the 7.5 rating of CVE-2023-0656, which is ostensibly the same type of flaw and discovered about a year later.
A remote, unauthenticated attacker could exploit the flaw via an HTTP request to cause DoS or potentially execute code in the firewall, according to a report by Watchtower Labs on the vulnerability published in October.
BishopFox used that report as the basis for a deeper dive into the mechanics of how CVE-2022-22274 works, and to develop their own exploit code for it.
In the process they ultimately discovered CVE-2023-0656 - which the researchers thought might be a zero day but which already had been reported by SonicWall - as well as found that the two flaws are related.
The researchers triggered CVE-2022-22274 through an HTTP request that needed to satisfy two conditions: the URI path must be longer than 1024 bytes, and the HTTP version string must be long enough to cause a stack canary overwrite.
They managed to achieve a DoS attack against vulnerable SonicWall series 6 and 7 virtual appliances, even some patched versions.
This is what led them to realize that while CVE-2022-22274 was patched on the firewalls, CVE-2023-0656 was not - and both flaws are caused by the same vulnerable code pattern in a different place, Williams said.
BishopFox released a Python tool for testing and even exploiting the flaws on SonicWall devices.
Patch & Protect Against SonicWall Cyberattacks Hundreds of thousands of companies across the globe use SonicWall products, including numerous government agencies and some of the largest enterprises in the world.
Their widespread use makes them an attractive attack surface when devices become vulnerable; indeed, attackers have a history of pouncing on SonicWall flaws for ransomware and other attacks.
At this point the danger is not as much in a potential RCE attack as a DoS incident, given the available exploit because attackers would have a few technical hurdles to overcome - including PIE, ASLR, and stack canaries, Williams noted.
Regardless, network administrators still should take precautions to secure devices.
BishopFox is urging network administrators to use the tool the researchers developed to check for vulnerable devices.
If found, they should ensure that the management interface of a device is not exposed online, as well as proceed with an update to the latest firmware to secure against a potential DoS attack.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 16 Jan 2024 16:50:04 +0000