Firewall Inferno – Sophos & SonicWall Vulnerabilities

Share :

CVE-2022-1040 and CVE-2022-22247 are two recent vulnerabilities that have been discovered in two different Firewall products. This blog post will cover both the Sophos Firewall vulnerability (CVE-2022-1040) and the SonicWall Firewall vulnerability (CVE-2022-22247).

Background on CVE-2022-1040 in Sophos Firewalls

On Friday, March 25, 2022, Sophos, a British-based cybersecurity company, disclosed a critical authentication bypass vulnerability impacting Sophos Firewall, which was discovered by a security researcher using Sophos’ bug bounty program. This vulnerability affects versions up to and including 18.5 MR3 (18.5.3) and could lead to remote code execution. Assigned CVE-2022-1040 vulnerability ID with the 9.8 – Critical, CVSS (Common Vulnerability Scoring System) V3 score; this vulnerability was found in the User Portal and Webadmin interfaces of Sophos Firewall. In order for a threat actor to exploit this vulnerability, WAN access must be enabled for these portals.

Affected Version by CVE-2022-1040

Sophos has released hotfixes for both supported and end-of-life versions of affected products on March 23 and March 24, ahead of disclosing the vulnerability.

Hotfixed Supported Versions

Hotfixed Unsupported / EOL Versions

  • v17.0 MR10 EAL4+
  • v17.5 MR16 and MR17
  • v18.0 MR5(-1) and MR6
  • v18.5 MR1 through MR3
  • v19.0 EAP
  • v17.5 MR12 through MR15
  • v18.0 MR3 and MR4
  • v18.5 GA

Recommendations for CVE-2022-1040

Arctic Wolf strongly recommends updating and verifying the firmware patch is applied. For security practitioners who are not able to apply the patch, Sophos has also detailed a workaround, by disabling WAN access to the web consoles.

Recommendation #1: Verify Hotfix Installation

Sophos has a support document detailing a command to check if the hotfix is applied from a shell here: https://support.sophos.com/support/s/article/KB-000043853

Recommendation #2: Update Sophos Firewall Firmware

If the verification of the patch from the above recommendation fails (“Hotfix isn’t applied”) Sophos has detailed the steps to update your Firmware version.

Background on CVE-2022-22247 – SonicWall Firewalls

On Thursday, March 24, SonicWall, Security hardware manufacturer, published a security advisory to address a critical vulnerability – CVE-2022-22247 – in the SonicOS security operating system that allows denial of service (DoS) attacks and could lead to remote code execution (RCE). The security flaw is a stack-based buffer overflow in SonicOS via an HTTP request allowing a remote unauthenticated attacker to cause Denial of Service (DoS) or potentially execute code in the firewall. This vulnerability only impacts the web management interface in TZ Series next-generation firewalls (NGFW), Network Security Virtual (NSv Series), and Network Security services platform (NSsp); the SonicOS SSLVPN interface is not affected.

The SonicWall Product Security Incident Response Team (PSIRT) says there are no reports of public proof-of-concept exploits, and it found no evidence of exploitation in the wild. Patches or hotfixes are available for all affected products.

CVE-2022-22247 vulnerability id has been reserved but not assigned a score yet.

Affected Version by CVE-2022-22247

The SonicWall appliances below are impacted by CVE-2022-22247 vulnerability.

Impacted Platforms

Impacted Version

Fixed Version

TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W,

TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700,
NSa 4700, NSa 5700, NSa 6700, NSsp 10700,

NSsp 11700, NSsp 13700, NSv 270, NSv 470, NSv 870

7.0.1-5050 and older

7.0.1-5051 and higher

NSsp 15700

7.0.1-R579 and older

Mid-April (Hotfix build 7.0.1-5030-HF-R844)

NSv 10, NSv 25, NSv 50, NSv 100, NSv 200, NSv 300,
NSv 400, NSv 800, NSv 1600

6.5.4.4-44v-21-1452 and earlier

6.5.4.4-44v-21-1519 and higher

Recommendations for CVE-2022-22247

Arctic Wolf strongly recommends organisations who are using impacted firewalls, follow the guidance provided by either patching or implementing the available workarounds.

Recommendation #1: Patch Affected Firewalls Products

Apply applicable ‘Fixed Version’ patch, from the table above, to the affected SonicWall products.

Recommendation #2: Implement Vendor Provided Workarounds

Until the appropriate patches can be applied, SonicWall PSIRT strongly recommends that administrators limit SonicOS management access to trusted sources and/or disable management access from untrusted internet sources. The workarounds below detail how to modify the existing SonicOS Management access rules (SSH/HTTPS/HTTP Management). This will only allow management access from trusted source IP addresses.

References

1. Resolved RCE in Sophos Firewall (CVE-2022-1040) 

2. MITRE: CVE-2022-1040 

3. Device Access – Sophos Firewall (CVE-2022-1040)

4. Service and Support(CVE-2022-1040) – KB-000043853 

5. SonicWall CVE-2022-22274 Advisory

6. SonicWall Knowledge Base Article on Vulnerability (CVE-2022-22274)

7. SonicWall Knowledge Base –1– (CVE-2022-22274)

8. SonicWall Knowledge Base –2– (CVE-2022-22274)

Sule Tatar

Sule Tatar

Sule Tatar is a Product Marketing Manager at Arctic Wolf, where she does research on security trends and brings groundbreaking cybersecurity products and services to market. She has extensive experience in the B2B cybersecurity space and holds a bachelor's degree in computer engineering and an MBA.
Share :
Table of Contents
Categories