Internet scans reveal vulnerable SonicWall devices
The Bishop Fox researchers wanted to scan the internet and determine how many of the SonicWall firewalls with their management interfaces exposed have URI paths that are still vulnerable to CVE-2022-22274 and CVE-2023-0656. However, probing for these issues by using the real exploit causes devices to crash and the researchers wanted to avoid that.
After analyzing how the firewalls responded to requests to the vulnerable URI paths, the researchers figured out a crash-safe way to perform the test and tell patched devices apart from non-patched ones, or devices that didn’t have the vulnerable components in the first place. They wrote a scanner in Python and then ran it against a list of devices identified as SonicWall firewalls in the data set from BinaryEdge, a company that runs regular internet-wide scans.
“We exported the entire data set from BinaryEdge, extracted HTTPS URLs, filtered the list to IPv4 (for simplicity – it was a negligible difference), and removed duplicate entries,” the researchers said. “We then wrote a simple script to test reachability and check the response headers. After filtering our results in this manner, we ended up with a target set of 234,720 devices.”
After running their crash-free tests, the researchers found that 146,116, or 62% of the devices, were vulnerable to CVE-2022-22274 and that 178,608 (76%) were vulnerable to CVE-2023-0656.
“At this point in time, an attacker can easily cause a denial of service using this exploit, but as SonicWall noted in its advisories, a potential for remote code execution exists,” the researchers said. “While it may be possible to devise an exploit that can execute arbitrary commands, additional research is needed to overcome several challenges, including PIE, ASLR, and stack canaries.”
Organizations running SonicWall firewalls are strongly urged to upgrade their firmware to the latest available version and to restrict access to the web-based management interface, especially from the internet.
