The majority of internet-exposed SonicWall next-generation firewall series 6 and 7 devices have not been patched against two potentially serious vulnerabilities, cybersecurity firm Bishop Fox reports.
The issues, tracked as CVE-2022-22274 and CVE-2023-0656 and rated critical- and high-severity, respectively, can be exploited remotely, without authentication. An attacker can use them to cause a denial-of-service (DoS) condition, but remote code execution (RCE) has not been ruled out either. SonicWall released patches for them in March 2022 and March 2023.
According to Bishop Fox, the two flaws are essentially the same, “but exploitable at different HTTP URI paths due to reuse of a vulnerable code pattern.”
Scanning the internet for vulnerable devices, the cybersecurity firm discovered that more than 178,000 of the SonicWall firewalls that have a publicly accessible web management interface are vulnerable to at least one of the security defects.
“The impact of a widespread attack could be severe. In its default configuration, SonicOS restarts after a crash, but after three crashes in a short period of time it boots into maintenance mode and requires administrative action to restore normal functionality,” Bishop Fox notes.
In its advisories, SonicWall notes that it is not aware of active exploitation of any of these vulnerabilities and that it has received no reports of proof-of-concept (PoC) exploit code being published for them.
However, PoC code targeting CVE-2023-0656 has been public since April 2023, when SSD Labs published it along with technical details on the bug.
By analyzing the root cause of these vulnerabilities, Bishop Fox identified a link between them and was able to create new PoC exploits for both. The exploit for CVE-2023-0656, the firm says, is similar to what SSD Labs published almost a year ago.
“To our knowledge, no previous research has been published establishing a link between CVE-2022-22274 and CVE-2023-0656. Clearly, both vulnerabilities share the same underlying bug, but the initial patch only fixed the vulnerable code in one place, leaving the other instances to be found and reported a year later,” BishopFox says.
After developing the PoCs, the cybersecurity firm started looking for vulnerable devices accessible from the internet, and discovered that more than 146,000 firewalls remain unpatched against CVE-2022-22274, and that 178,000 are not patched against CVE-2023-0656.
In fact, almost all 146,000 vulnerable SonicWall firewalls are missing patches for both vulnerabilities. With CVE-2022-22274 also exploitable for remote code execution (RCE), these devices are potentially at risk of more than just DoS.
SonicWall customers are advised to apply the available patches as soon as possible. Vulnerabilities in SonicWall firewalls are known to have been exploited in malicious attacks.