Rewterz Threat Advisory –More Than 178,000 SonicWall Next-Generation Firewalls Found Publicly Exploitable

Severity

High

Analysis Summary

Over 178,000 SonicWall next-generation firewall (NGFW) series 6 and 7 devices are affected by two highly severe vulnerabilities that could result in remote code execution. Even though a proof-of-concept (PoC) for one of the flaws was publicly released, the vendor remains unaware of the vulnerabilities being exploited in the wild.

Researchers found SonicWall firewalls with management interfaces being exposed to the internet and the fact that 76% of the internet-facing firewalls are vulnerable to one or both security issues. The two flaws (CVE-2022-22274 and CVE-2023-0656) are similar in fundamentals, but exploitable at different HTTP URI paths because of reusing a vulnerable code pattern. There is also a test script developed by the researchers to check a device’s vulnerability without causing it to crash.

All this shows that the impact of a large-scale attack could be very severe. Usually when it crashes, SonicOS restarts, but after three crashes back-to-back it boots into maintenance mode and requires administrative action to restore to normal mode. An attacker can easily cause a denial of service by leveraging this exploit, and a potential for remote code execution also exists.

It may also be possible to develop an exploit that can execute arbitrary commands, and additional research is required to overcome these emerging challenges. The biggest difficulty for a threat actor would be determining what firmware and hardware version a specific target is using in advance. Since there is currently no technique for fingerprinting SonicWall firewalls remotely, the chance of cybercriminals using RCE is probably low.

The latest available firmware protects against both exploitable vulnerabilities, so it is recommended to upgrade as soon as possible and make sure that the management interface isn’t exposed to the internet. Administrators of vulnerable devices are recommended to remove the web management interface from public access and update the firmware to the latest version.

Impact

• Denial of Service
• Code Execution

Indicators Of Compromise

CVE

• CVE-2022-22274
• CVE-2023-0656

Remediation

• Refer to SonicWall Security Advisory for patch, upgrade or suggested workaround information.
• Administrators are recommended to remove the web management interface from public access and update the firmware to the latest version.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.