Due to Sonicwall Firewalls’ widespread usage in organizations, hackers find them to be appealing targets when looking to breach networks.
By taking advantage of security holes in Sonicwall Firewalls, malicious users can get unwanted access to confidential data, make it easier for outsiders to infiltrate networks, and launch several kinds of cyberattacks.
Cybersecurity researchers at Bishopfox recently discovered 178,000 vulnerable Sonicwall firewalls that could be exploited by the threat actors in the wild.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.
Sonicwall Firewall Vulnerable to RCE Attacks
SonicWall NGFW series 6 and 7 faces unauthenticated DoS vulnerabilities (CVE-2022-22274, CVE-2023-0656), potentially allowing remote code execution.
However, no wild exploitation was reported, but a POC for CVE-2023-0656 is public. The BinaryEdge data shows 76% of exposed SonicWall firewalls (178,637 of 233,984) vulnerable.
The impact of a widespread attack could be severe as the default SonicOS restarts after a crash, but three crashes lead to maintenance mode.
Cybersecurity analysts analyzed the “CVE-2022-22274” using Ghidra and BinDiff to compare sonicosv binary versions. Leveraged Watchtowr Labs’ analysis and Praetorian’s decryption tool for efficient research.
Besides this, experts identified key code changes in HTTP request handling functions between NSv firmware versions 6.5.4.4-44v-21-1452 and 6.5.4.4-44v-21-1519.
In the vulnerable code, there are two __snprintf_chk() calls that were sequentially used with output from the first determining the second’s arguments.
The changes in the patched version include converting a variable from signed to unsigned, adding bounds checks, and enhancing input/output checks for the second call.
Meanwhile, the “__snprintf_chk()” was crucial as the SonicWall developers assumed its return value equaled characters written and overlooked a discrepancy highlighted in “snprintf()” documentation.
The issue arises with the use of maxlen as a size_t that leads to an integer overflow when subtracting from 1024. The second function specifies writing an excessively large amount of data into a small 1024-byte buffer which helps bypass overflow protection due to maxlen being set to the maximum 64-bit unsigned integer value.
This hints at developers writing code with snprintf() that enables overflow protection at compile time, causing a mismatch with __snprintf_chk() and resulting in strlen being set to the maximum value.
Patched firmware adds a check between snprintf() calls, ensuring the first’s return value is under 1024 to restore buffer overflow protection.
If the check fails, then the second function call is skipped, which terminates the request handling without modifying the original calls.
On distinct URI paths, the CVE-2022-22274 and CVE-2023-0656 share the same vulnerability, which could be exploited to crash vulnerable devices.
Here, researchers urged users to perform a secure vulnerability check for deployed SonicWall NGFW devices, and if they found any vulnerable device, then the following two steps are recommended to be taken immediately:-
- From public access, make sure to remove the web management interface immediately.
- Ensure that the old firmware is upgraded to the latest available version.
At the moment, identifying a target’s firmware and hardware versions is a hurdle for attackers, as the exploit needs customization.
Remote fingerprinting of SonicWall firewalls is not known, making the likelihood of RCE low. However, researchers strongly recommended securing your devices to avoid potential DoS attacks.
Looking for cost-effective penetration testing services? Try Kelltron’s to assess and evaluate the security posture of digital systems – Free Demo