More than 178,000 SonicWall firewalls are exposed to old denial of service bugs

Updated More than 178,000 SonicWall firewalls are still vulnerable to years-old vulnerabilities, an infosec reseacher claims.

A study by Jon Williams, senior security engineer at Bishop Fox, this week highlights what he refers to as weapons-grade patch apathy from SonicWall customers, with the number of exploitable devices representing 76 percent of those that are public-facing.

With a focus on CVE-2022-22274 and CVE-2023-0656 specifically, Williams said 178,637 of 233,984 public-facing SonicWall next-generation firewall (NGFW) series 6 and 7 devices are vulnerable to one or both of these flaws.

Both vulnerabilities lead to denial of service (DoS), but the former is easily the most serious since it can also potentially lead to remote code execution (RCE), earning it a near-maximum 9.8 severity score for its exploitability and potential impact.

"Our research found that the two issues are fundamentally the same but exploitable at different HTTP URI paths due to reuse of a vulnerable code pattern," said Williams.

SSD Labs previously stated that in both cases, cybercrims are “tasked with exploiting a stack overflow vulnerability to cause the DoS - remotely carried out by sending a malicious HTTP request.

“The specific flaw exists within the httpServer function,” it added. “The issue results from the lack of checking the return result of snprintf before using it to calculate the maximum length. An attacker can leverage this vulnerability to impact the availability of the target server."

With reference to the RCE, SonicWall’s advisory from 2022 states: “A Stack-based buffer overflow vulnerability in the SonicOS via HTTP request allows a remote unauthenticated attacker to cause Denial of Service or potentially results in code execution in the firewall.”

Even if attackers weren't able to achieve RCE, they could force a targeted device into maintenance mode, requiring an admin's intervention while leaving organizational disruption behind, said Williams.

"The impact of a widespread attack could be severe," he added. "In its default configuration, SonicOS restarts after a crash, but after three crashes in a short period of time it boots into maintenance mode and requires administrative action to restore normal functionality."

Admins are urged to upgrade to the latest versions of NGFW firmware immediately, which include working patches that have long been available.

Fortunately for SonicWall customers, there is no evidence to suggest either of the vulnerabilities are under active exploitation, although a proof-of-concept exploit that works against both has been developed by SSD Labs and is available online, contrary to SonicWall's advisory.

That's not to say they won't ever be targeted though, especially now the attention has once again been drawn to the vulnerabilities and the attack surface.

Chinese cyberspies were spotted targeting unpatched SonicWall gear less than a year ago, and Charles Carmakal, CTO at Mandiant, said at the time that vulnerabilities in firewalls are typically among the most targeted.

• Why we update... Data-thief malware exploits SmartScreen on unpatched Windows PCs
• New year, new updates for security holes in Windows, Adobe, Android and more
• Microsoft puts the 'why?' in Wi-Fi with latest Windows patch
• Tesla to remote patch 2M vehicles after damning Autopilot safety probe
• Two years on, 1 in 4 apps still vulnerable to Log4Shell

As for why neither CVE-2022-22274 nor CVE-2023-0656 have been exploited in the wild so far, Sean Wright, head of application security at Featurespace, told The Register that he suspected it was likely due to a combination of factors. 

CVE-2023-0656 only leads to a DoS, which is difficult for a cybercriminal to monetize, and he guessed achieving RCE with CVE-2022-22274 would likely be too difficult in comparison with the other lucrative and easy-to-exploit RCE vulnerabilities up for grabs.

"The other question regarding why so many instances that are internet-facing and not patched is unfortunately unsurprising," he added. "We, unfortunately, see this all too often, and given the fact that these two vulnerabilities aren't known to have been publicly exploited, it means that they will likely receive less attention than other higher-profile vulnerabilities that are actively being exploited. Nonetheless, it is still important for organizations to ensure that they apply the patches, especially given the potential of remote execution.

"The other problem that many organizations also face is a resourcing problem when it comes to patching, there's a constant deluge of vulnerabilities that need to be triaged and then acted on accordingly. This is a constant task, that is not easy. Nonetheless, these vulnerabilities have been around for a while, so they should have been patched now. This shows how much of a task the industry faces, and we need to start to become a lot more creative in coming up with ideas on how to solve this problem."

The Register approached SonicWall for comment but it didn't respond. ®

Updated at 1026 UTC on January 17 to add

Following publications, SonicWall sent us a statement:

"SonicWall has proactively reached out to partners and customers several times over the past year to ensure maximum adoption of the relevant patches. At the same, SonicWall continues to encourage partners and customers to upgrade their firmware to address any vulnerabilities by leveraging up-to-date firmware. SonicWall has included an automatic firmware update capability in SonicOS 7.1.1 for critical vulnerabilities moving forward.

"After reviewing the case logs, SonicWall has seen no active exploitation of the affected firmware in the wild, and it’s likely that the methods used to collect populations affected also captured units in our global SonicLabs sensor population – something we are always willing to work with threat researchers to verify prior to publication of articles that address older, previously-patched vulnerabilities."