Threat Update
SonicWall has released a hotfix for a critical RCE / DoS vulnerability that affects a subset of their firewall devices. This vulnerability (tracked as CVE-2022-22274) in Sonic OS allows an unauthenticated remote attacker to perform denial of service (DoS) and remote code execution (RCE) attacks. Barracuda MSP recommends restricting SonicWall access to trusted administrators until there is a full fix in place.
Technical Detail & Additional Information
WHAT IS THE THREAT?
A critical stack-based buffer overflow vulnerability has been discovered in multiple versions of SonicWall firewalls, tracked as CVE-2022-22274. Exploitation of this vulnerability allows an unauthenticated remote attacker to perform a denial of service (DoS) attack via a specially crafted HTTP request that can lead to remote code execution. A DoS attack is one that attempts to bring a machine or network to a halt or making it unreachable to its intended users. At the time of publication, SonicWall claims that there are currently no publicly reported instances of this vulnerability being exploited in the wild.
WHY IS IT NOTEWORTHY?
An exploit in SonicWall’s devices represents a large-scale risk to users of their devices in either a business or personal capacity. The security flaw is a stack-based buffer overflow which allow unauthenticated attackers to utilize HTTP requests to remotely exploit the vulnerability, which do not require user interaction. That could lead to Denial of Service (DoS) and Remote Code Execution (RCE) attacks on a vulnerable firewall.
WHAT IS THE EXPOSURE OR RISK?
Exploitation of this vulnerability can result in an attacker remotely executing code on the vulnerable firewall. This can grant them complete access to the firewall, the ability to change policies, add or remove users, or control access at will. If an attacker had full control of the firewall in this regard, the impact to your environment as a whole could be significant. Additionally, a DoS attack could similarly limit the availability of the firewall for authorized users and can represent a significant detriment to operational performance. The vulnerable devices and their versions are listed below:
The following versions of the SonicWall firewall are vulnerable to Denial of Service (Dos) and Remote code execution (RCE): 7.0.1-5050 and earlier, 7.0.1-R579 and earlier, 6.5.4.4-44v-21-1452 and earlier.
| Impacted Platforms | Impacted Version |
| TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSv 270, NSv 470, NSv 870 |
7.0.1-5050 and earlier |
| NSsp 15700 | 7.0.1-R579 and earlier |
| NSv 10, NSv 25, NSv 50, NSv 100, NSv 200, NSv 300, NSv 400, NSv 800, NSv 1600 |
6.5.4.4-44v-21-1452 and earlier |
WHAT ARE THE RECOMMENDATIONS?
Barracuda MSP recommends the following actions to limit the impact of attack:
- Until SonicWall releases a full fix, administrators are strongly advised to restrict Sonic OS administration access to trusted sources only.
- Modify the existing Sonic OS management access rules (SSH/HTTPS/HTTP) to disable management access from untrusted internet sources. Only trusted source IP addresses will be allowed to access the management.
REFERENCES
For more in-depth information about the recommendations, please visit the following links:
- https://www.sonicwall.com/support/notices/security-notice-critical-unauthenticated-stack-based-buffer-overflow-vulnerability-in-sonicos/220323160744440/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22274
- https://thehackernews.com/2022/03/critical-sonicos-vulnerability-affects.html
- https://www.bleepingcomputer.com/news/security/critical-sonicwall-firewall-patch-not-released-for-all-devices/
If you have any questions, please contact our Security Operations Center.
