Yesterday, Bishop Fox released research where they found that at least 178,000 SonicWall firewalls devices were vulnerable to at least one of two critical exploits that had been discovered over a year ago.
In 2022 and 2023, several vulnerabilities were detected in SonicWall next-generation firewall (NGFW) devices. SonicWall promptly issued advisories and released patches to mitigate the risks following these discoveries. However, Bishop Fox’ recent research found that an alarming number of the firewalls they examined remained vulnerable to these exploits.
The vulnerabilities CVE-2022-22274 and CVE-2023-0656 both relate to an overflow vulnerability, where an unauthenticated user can send an HTTP request to the firewall’s management interface that would crash the device. The issue is exacerbated by a default setting of the SonicWallOS, which places a device into maintenance mode after three successive crashes in a short time frame and requires manual intervention to restore and restart the device.
This means that a threat actor can leverage these vulnerabilities to launch a Denial of Service (DoS) attack, forcing susceptible firewalls and it’s protected networks offline.
Bishop Fox developed a testing methodology that allowed them to scan SonicWall’s NGFW devices that had their management interfaces exposed to the internet and non-destructively determine if they were still susceptible to the vulnerabilities. Of the 233,984 known accessible devices, 178,637, or 76%, were still vulnerable to at least one vulnerability. 62% were vulnerable to both.
It’s worrying enough that a quarter million firewall management interfaces are publicly accessible; it’s even worse that three-quarters of those are still vulnerable to a critical exploit that’s been discovered for almost a year. Given that many more SonicWall firewalls are in use than Bishop Fox could access and scan through the internet, the number of vulnerable devices is likely higher.
The silver lining is that there have not been any verified instances of these vulnerabilities being exploited by threat actors. However, the potential is real and alarming. Both Bishop Fox and SSDLabs have published proof-of-concept exploits showing that threat actors can leverage these vulnerabilities.
The good news is that remediation is simple. Patch it. SonicWall promptly released advisories to both vulnerabilities detailing workarounds, quickly released patches to resolve the issue, and incorporated those patches in future releases.
A robust and proactive firewall management program would have already incorporated these patches in the weeks or months after they were released.
For organizations utilizing SonicWall series 6 and 7 NGFW devices, it’s wise to double-check that you are running an up-to-date version where these vulnerabilities have been patched. It might also be a good time to consider if your management interface should be exposed to the Internet. If you find that your devices are still running an exploitable version, use this opportunity to review your patch and lifecycle management for critical security devices.
Even for those not using SonicWall’s Firewall solutions, it’s still a good opportunity to review your security. Just because a vendor produces a solid security product and provides fixes and patches in a timely manner does not mean you are automatically safe if administrators fail to implement those patches.