SonicWall has released patches for a critical-severity vulnerability in the web management interface of multiple firewall appliances.
Tracked as CVE-2022-22274 (CVSS score of 9.4), the security flaw is described as a stack-based buffer overflow bug that impacts SonicOS.
Because of this issue, a remote, unauthenticated attacker can send crafted HTTP requests to cause a denial-of-service (DoS) condition or execute code in the firewall.
The vulnerability impacts over 30 SonicWall appliances running software versions 7.0.1-5050 and older, 7.0.1-R579 and older, and 18.104.22.168-44v-21-1452 and earlier.
SonicWall has addressed the vulnerability with the release of software versions 7.0.1-5051 and 22.214.171.124-44v-21-1519. The company also announced that a hotfix for the NSsp 15700 firewall will arrive in mid-April.
For customers who cannot apply the available patches immediately, a mitigating action involves limiting SonicOS management access to trusted IP addresses. For that, the SonicOS management access rules (SSH/HTTPS/HTTP Management) need to be modified.
“For NSsp 15700, continue with the temporary mitigation to avoid exploitation or reach out to the SonicWall support team who can provide you with a hotfix firmware (7.0.1-5030-HF-R844). SonicWall expects an official firmware version with necessary patches for NSsp15700 to be available in mid-April 2022,” the company notes.
SonicWall says that it is not aware of this vulnerability being actively exploited in the wild and proof-of-concept (PoC) code targeting the bug does not appear to be publicly available.