SonicWall firewalls are found to be vulnerable to two Denial of Service (DoS) attacks which can be caused by using the same vulnerable code pattern. Various research indicates SonicWall firewalls with management interfaces exposed online are vulnerable to one or both issues. The vulnerabilities are tracked by CVE-2022-22274 and CVE-2023-0656 and in this Cybersecurity Threat Advisory we cover more about the impact of these vulnerabilities.
What is the threat?
SonicWall NextGen Firewalls (NGFW) with management interfaces exposed to internet are vulnerable to DoS attacks. Both CVE-2022-22274 and CVE-2023-0656 can be exploited using the same vulnerable code pattern and provides a massive attack surface. Attackers can further exploit CVE-2022-22274 which can allow them to execute code remotely. Around 178,000 SonicWall firewalls were found to be vulnerable.
Why is it noteworthy?
Both the vulnerabilities use the same vulnerable code pattern but can be exploited using different HTTP uniform resource identifier (URI) paths. The exploit worked against three additional URI paths. The attackers can push a device into maintenance mode even if they are not able to execute any code remotely. Intervention from administrator is required to bring the devices back to its normal state.
What is the exposure or risk?
These vulnerabilities can be leveraged by threat actors to disable virtual private network (VPN) access and to disable the edge firewalls bringing entire or part corporate network down or inaccessible to the users. SonicWall appliances were previously targeted by ransomware groups including HelloKitty. SonicWall Product Security Incident Response Team (PSIRT) and Mandiant revealed that suspected hackers installed custom malware on unpatched SonicWall Secure Mobile Access (SMA) appliances for long-term persistence in cyber espionage campaigns.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of SonicWall DoS vulnerabilities:
- Upgrade to latest version on priority.
- Ensure that the management interface is not exposed to the internet.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.