Startling Discovery by Bishop Fox Researchers
A recent investigation by cybersecurity experts at Bishop Fox has uncovered a significant vulnerability in SonicWall’s next-generation firewalls (NGFW). This alarming find reveals that over 178,000 of these advanced firewall devices are publicly exploitable due to critical security flaws.
The Affected Devices: SonicWall NGFW Series 6 and 7
The vulnerability primarily impacts SonicWall’s NGFW Series 6 and 7 devices. Two critical unauthenticated denial-of-service vulnerabilities, identified as CVE-2022-22274 and CVE-2023-0656, have been found. These vulnerabilities could potentially lead to remote code execution. Although a proof-of-concept exploit for CVE-2023-0656 has been released, SonicWall has not yet observed any attacks exploiting these vulnerabilities in real-world scenarios.
Methodology of the Discovery
The team at Bishop Fox utilized data from BinaryEdge to identify SonicWall firewalls with internet-exposed management interfaces. Astonishingly, their analysis revealed that 76% (178,637 out of 233,984) of these Internet-facing firewalls are susceptible to one or both of these vulnerabilities.
Nature of the Vulnerabilities
The researchers noted that both vulnerabilities are fundamentally similar but exploitable at different HTTP URI paths. This is due to the reuse of a vulnerable code pattern in the firewalls. To help identify vulnerable devices without causing a crash, the researchers developed a specialized test script.
Potential Impact of a Large-Scale Attack
The implications of a large-scale attack exploiting these vulnerabilities are severe. By default, SonicOS, the operating system for these firewalls, restarts after a crash. However, if it crashes thrice in quick succession, it enters maintenance mode, necessitating administrative intervention for restoration.
Recommendations for MitigationImmediate Firmware Updates Required
Bishop Fox’s advisory strongly recommends immediate firmware updates as the latest version offers protection against both vulnerabilities. Additionally, administrators are advised to ensure that the firewall’s management interface is not exposed to the internet.
Removing Web Management Interface from Public Access
Administrators overseeing vulnerable devices should remove the web management interface from public access. Upgrading the firmware to the most recent version is also crucial for enhancing security.
The Challenge of Remote Code Execution (RCE)
Although the current exploit primarily causes denial of service, the potential for remote code execution exists, as noted by SonicWall. Developing an exploit capable of executing arbitrary commands would require overcoming multiple challenges, including Position Independent Executable (PIE), Address Space Layout Randomization (ASLR), and stack canaries.
The Difficulty in Exploit Tailoring
An attacker would face the challenge of tailoring the exploit to specific firmware and hardware versions, as these parameters significantly vary. Currently, no known technique exists for remotely fingerprinting SonicWall firewalls, which makes the likelihood of attackers successfully leveraging RCE relatively low.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.