Over 178K SonicWall Firewalls Vulnerable to DoS, Potential RCE Attacks

Security researchers at Bishop Fox have identified over 178,000 SonicWall next-generation firewalls with the management interface exposed online are vulnerable to two stack-based buffer overflow flaws. Tracked as CVE-2022-22274 and CVE-2023-0656, these two vulnerabilities are essentially the same and can be exploited by unauthenticated actors to perform denial of service and even remote code execution.

CVE-2023-0656 was addressed last year while CVE-2022-22274 was addressed the year prior in 2022. In its advisories, SonicWall noted it had no evidence to suggest that these vulnerabilities have been exploited in the wild. However, in April 2023, proof-of-concept code was published for CVE-2022-22274 by SSD Labs. With many appliances exposed to the internet, actors can leverage the POC to exploit the flaw.

Security Officer Comments:
In the past, SonicWall NGFW appliances have been targeted in cyber-espionage attacks and by multiple ransomware groups such as HelloKitty and FiveHands. Just last March, Chinese hackers were also observed installing custom malware on unpatched SonicWall Secure Mobile appliances for long-term persistence in cyber-espionage campaigns. As such CVE-2022-22274 and CVE-2023-0656 could be exploited in attacks by like-minded actors.

Suggested Corrections:
Based on a scan conducted by threat monitoring platform ShadowServer, more than 500,000 SonicWall firewalls are exposed online, the majority of which reside in the United States (over 328,000). To prevent potential exploitation attempts, admins are advised to ensure their SonicWall NGFW appliances' management interface is not exposed online and upgrade to the latest firmware versions as soon as possible.