Date: March 29th, 2021
Security hardware manufacturer SonicWall has fixed a critical vulnerability in the SonicOS security operating system that allows denial of service (DoS) attacks and could lead to remote code execution (RCE). The security flaw is a stack-based buffer overflow weakness with a 9.4 CVSS severity score and impacting multiple SonicWall firewalls.
Tracked as CVE-2022-22274, the bug affects TZ Series entry-level desktop form factor next-generation firewalls (NGFW) for small- and medium-sized businesses (SMBs), Network Security Virtual (NSv series) firewalls designed to secure the cloud, and Network Security services platform (NSsp) high-end firewalls.
Exploitable remotely without authentication
Unauthenticated attackers can exploit the flaw remotely, via HTTP requests, in low complexity attacks that don’t require user interaction “to cause Denial of Service (DoS) or potentially results in code execution in the firewall.”The SonicWall Product Security Incident Response Team (PSIRT) says there are no reports of public proof-of-concept (PoC) exploits, and it found no evidence of exploitation in attacks.The company has released patches for all impacted SonicOS versions and firewalls and urged customers to update all affected products.”SonicWall strongly urges organizations using impacted SonicWall firewalls listed below to follow the provided guidance,” the company said in a security advisory published on Friday.
|Product||Impacted Platforms||Impacted Version||Fixed Version|
|SonicWall Firewall||TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700, NSSP 10700, NSsp 11700, NSsp 13700, Nsv 270, NSv 470, NSv 870||7.0.1-5050 and earlier||7.0.1-5051 and higher|
|SonicWall NSSP Firewall||NSSP 15700||7.0.1-R579 and earlier||Mid-April (Hotfix build 7.0.1-5030-HF-R844)|
|SonicWall NSv Firewalls||NSv 10, NSv 25, NSv 50, Nsv 100, NSv 200, Nsv, 300, NSv 400, NSv 800, NSv 1600||188.8.131.52-44v-21-1452 and earlier||184.108.40.206-44v-21-1519 and higher|
SonicWall also provides a temporary workaround to remove the exploitation vector on systems that cannot be immediately patched. As the security vendor explained, admins are required to only allow access to the SonicOS management interface to trusted sources. This really should be a standard practices where management portals are only exposed to trusted networks and IP addresses.
Exposing a management portal to untrusted network is always a recipe for RISK, and I would challenge system and network engineers remove all access and ensure multiple layers of security exist plus sufficient logging is enabled.