API security, Network Security

SonicWall API opens 178k firewalls to attack

Over 178,000 SonicWall firewalls that have management interfaces exposed to the internet are at risk of denial of service (DoS) and remote code execution (RCE) attacks, researchers say.

The devices are susceptible to two vulnerabilities which, if exploited, could have “severe” consequences given the scale of the exposure, according to an analysis by Bishop Fox.

SonicWall previously alerted customers to two stack-based buffer overflow vulnerabilities affecting its series 6 and 7 next-generation firewall (NGFW) devices. The first, tracked as CVE-2022-22274, was disclosed in March 2022, while the second, CVE-2023-0656, was revealed in March 2023.

Bishop Fox recently used BinaryEdge source data to scan the SonicWall devices with management interfaces exposed to the internet. The firm’s researchers discovered 76% of the devices (178,637 of 233,984) were vulnerable to at least one of the bugs and 62% (146,087) were vulnerable to both.

In a Jan. 15 research post, Bishop Fox senior security engineer Jon Williams described it as “astonishing” that over 146,000 publicly-accessible devices running SonicWall’s SonicOS operating system were “vulnerable to a bug that was published almost two years ago”.

“The impact of a widespread [DoS] attack could be severe. In its default configuration, SonicOS restarts after a crash, but after three crashes in a short period of time it boots into maintenance mode and requires administrative action to restore normal functionality,” Williams wrote in the report.

Bishop Fox’s research concluded that CVE-2022-22274 (which has a critical CVSS V3 rating of 9.4) and CVE-2023-0656 (CVSS of 7.5) were essentially the same vulnerability except that they were exploitable on different HTTP URI (Uniform Resource Identifier) paths.

“At this point in time, an attacker can easily cause a denial of service using this exploit, but as SonicWall noted in its advisories, a potential for remote code execution exists,” Williams wrote.

He said threat actors would have to overcome several challenges in order to execute arbitrary code by exploiting the vulnerabilities, including determining in advance what firmware and hardware versions a particular target is using, because the exploit needed to be tailored to those parameters.

“Since no technique is currently known for remotely fingerprinting SonicWall firewalls, the likelihood of attackers leveraging RCE is, in our estimation, still low,” Williams said.

“Regardless, taking the appropriate precautions to secure your devices will ensure they don’t fall victim to a potentially painful DoS attack.”

Bishop Fox recommended SonicWall NGFW users immediately removed the device’s web management interface from public access and upgraded the firewall’s firmware to the latest available version. The researchers have produced a test script, available on GitHub, that can determine whether a device is vulnerable to the flaws without crashing it.

Simon Hendery

Simon Hendery is a freelance IT consultant specializing in security, compliance, and enterprise workflows. With a background in technology journalism and marketing, he is a passionate storyteller who loves researching and sharing the latest industry developments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.