Security researchers found almost 150,000 SonicWall firewalls whose management interfaces are accessible from the internet and are vulnerable to an almost two-year-old critical flaw that can cause denial-of-service and potentially remote code execution. Even more firewalls are vulnerable to another instance of the same flaw in a different part of the code that was reported last year.
The analysis was performed by researchers from security firm Bishop Fox after SonicWall patched nine vulnerabilities in its next-generation firewall (NGFW) appliances in October. Many of those flaws were stack-based buffer overflows in different components of the SonicOS management web interface and could lead to firewall crashes — in other words denial-of-service conditions. Bishop Fox wanted to determine the exposure of their customers by scanning the internet for devices affected by these issues, but they decided to include older vulnerabilities that were similar.
One of those older flaws immediately stood out: a flaw patched back in March 2022 that’s also caused by a stack-based buffer overflow in the SonicOS management interface and which was rated with 9.4 out of 10 on the CVSS severity scale.
Flaw could result in remote code execution
Unlike the October flaws, CVE-2022-22274 did not require authentication and there was a risk it could result in code execution in addition to DoS. The company said at the time that it was not aware of any exploit in the wild. However, this changed one year later when security researchers from SSD Labs found and reported another unauthenticated buffer overflow issue tracked as CVE-2023-0656 that now turns out is just another instance of CVE-2022-22274.
“SSD Labs had published a technical writeup of the bug with a proof of concept, noting two URI paths where the bug could be triggered,” the Bishop Fox researchers said in their new analysis. “We found that CVE-2022-22274 was caused by the same vulnerable code pattern in a different place, and the exploit worked against three additional URI paths.”
This suggests that when investigating CVE-2022-22274, the SonicWall developers only patched the vulnerable code in the originally reported component but didn’t search if the same bug existed in other parts of the SonicOS code base.
Internet scans reveal vulnerable SonicWall devices
The Bishop Fox researchers wanted to scan the internet and determine how many of the SonicWall firewalls with their management interfaces exposed have URI paths that are still vulnerable to CVE-2022-22274 and CVE-2023-0656. However, probing for these issues by using the real exploit causes devices to crash and the researchers wanted to avoid that.
After analyzing how the firewalls responded to requests to the vulnerable URI paths, the researchers figured out a crash-safe way to perform the test and tell patched devices apart from non-patched ones, or devices that didn’t have the vulnerable components in the first place. They wrote a scanner in Python and then ran it against a list of devices identified as SonicWall firewalls in the data set from BinaryEdge, a company that runs regular internet-wide scans.
“We exported the entire data set from BinaryEdge, extracted HTTPS URLs, filtered the list to IPv4 (for simplicity ââ¯it was a negligible difference), and removed duplicate entries,” the researchers said. “We then wrote a simple script to test reachability and check the response headers. After filtering our results in this manner, we ended up with a target set of 234,720 devices.”
After running their crash-free tests, the researchers found that 146,116, or 62% of the devices, were vulnerable to CVE-2022-22274 and that 178,608 (76%) were vulnerable to CVE-2023-0656.
“At this point in time, an attacker can easily cause a denial of service using this exploit, but as SonicWall noted in its advisories, a potential for remote code execution exists,” the researchers said. “While it may be possible to devise an exploit that can execute arbitrary commands, additional research is needed to overcome several challenges, including PIE, ASLR, and stack canaries.”
Organizations running SonicWall firewalls are strongly urged to upgrade their firmware to the latest available version and to restrict access to the web-based management interface, especially from the internet.