Over 178,000 SonicWall firewalls are vulnerable to remote code execution

Cybersecurity firm Bishop Fox has discovered that over 178,000 of SonicWall next-generation firewalls (NGFW), with online accessible management interfaces, are vulnerable to Denial of Service (DoS) attacks and Remote Code Execution (RCE).

The devices are susceptible to two vulnerabilities:

1. CVE-2022-22274 (CVSS score: 9.8): A stack-based Buffer Overflow vulnerability in SonicOS via an HTTP request allows a remote, unauthenticated attacker to cause a DoS or potentially lead to code execution within the firewall.
2. CVE-2023-0656 (CVSS score: 7.5): A Buffer Overflow vulnerability in the SonicOS stack enables a remote, unauthenticated assailant to trigger a DoS, potentially crashing the firewall.

Bishop Fox’s experts scanned the SonicWall firewalls with online accessible management interfaces, finding that 76% (178,637 out of 233,984) were vulnerable to one or both issues.

Even if attackers cannot execute code on the target device, they can use the vulnerabilities to force it into maintenance mode, requiring administrator intervention to restore standard functionality. Hence, even without remote code execution, an attacker can still exploit these vulnerabilities to disable perimeter firewalls and the access they provide to corporate networks through VPNs.

While the SonicWall Product Security Incident Response Team (PSIRT) reports no known real-world exploitation of these vulnerabilities, at least one Proof-of-Concept (PoC) exploit is available online for CVE-2022-22274. SSD Labs published a technical description of the flaw with a PoC exploit, noting two URI paths where the error could be initiated.

Administrators are advised to ensure the management interfaces of SonicWall firewalls are not accessible online and to update the software to the latest versions as soon as possible.

SonicWall has previously been targeted for exploitation. For instance, in March 2023, it was reported that Chinese hackers exploited unpatched SonicWall gateways, infecting devices with malware for credential theft that persists even after firmware updates. In January 2021, SonicWall disclosed a breach in its internal systems by hackers through a zero-day vulnerability in SonicWall VPN products.