Almost 180,000 SonicWall firewall devices are vulnerable to DoS and possible RCE attacks

More than 178,000 SonicWall next-generation firewalls still feature two vulnerabilities that could allow denial-of-service (DoS) attacks, new research shows.

Security specialists BishopFox published new research into two unauthenticated DoS vulnerabilities affecting SonicWall next-generation firewall series 6 and 7 devices, which could also leave networks open to remote code execution (RCE) attacks.

The analysis found the two security issues are fundamentally the same but are exploitable at different HTTP URI paths as a result of the unsecure code pattern being reused during development. 

Security engineer at BishopFox, Jon Williams, authored the report and used BinaryEdge source data to scan SonicWall firewalls with management interfaces exposed to the internet. 

The scan revealed a considerable 178,637 of the total 233,984 firewalls scanned were vulnerable to one or both security flaws.

BishopFox has produced a test script that will help users determine whether a device is vulnerable without crashing it. 

Williams advises organizations to test any SonicWall next-generation firewall devices and, if any are discovered, they should remove the web management interface from public access and upgrade the firmware to the latest version possible. 

Risk of SonicWall RCE attacks remains low

The specific vulnerabilities affecting these devices are CVE-2022-22274 and CVE-2023-0656, with CVSS scores of 9.4 and 7.5 respectively.

Both vulnerabilities involve a stack-based buffer overflow in the SonicOS, with the former doing so via HTTP requests, and can cause a DoS and the firewall to crash.

CVE-2022-22274, however, also includes the added threat of enabling threat actors to use RCE in the firewall, leading to its 9.5 severity rating.

Commenting on the likelihood of these issues being exploited, Williams said although attackers could easily use these vulnerabilities to a DoS and potentially crash devices, the chances of them leveraging an RCE attack is low.

This is because an RCE attack would require the hacker to establish the specific version of the hardware and firmware a victim has.

“Perhaps a bigger challenge for an attacker is determining in advance what firmware and hardware versions a particular target is using, as the exploit must be tailored to these parameters,” he said. 

“Since no technique is currently known for remotely fingerprinting SonicWall firewalls, the likelihood of attackers leveraging RCE is, in our estimation, still low.”

Despite this, Williams said the potential impact of a widespread attack exploiting these vulnerabilities would be severe. Even if attackers are unable to leverage RCE, they can still force the device into maintenance mode after causing it to crash three times in succession.

Maintenance mode requires administrative action to restore the device to normal functionality and thus these vulnerabilities should be addressed as quickly as possible to minimize potential downtime.

In addition, threat actors could also use the vulnerabilities in order to disable edge firewalls and VPN access to an organization’s network.

This report follows recent research by watchTowr Labs, who discovered nine new vulnerabilities affecting SonicWall firewall appliances.

The coverage of these vulnerabilities comes after SonicWall’s acquisition of security service edge (SSE) and zero trust network access specialist Banyan Security. 

The acquisition looks to be aimed at strengthening SonicWall’s cloud offering and will help the security company organize its network, endpoint, wireless, cloud email, and threat intelligence under a single multi-tenant portal.