CVE-2022-1040 and CVE-2022-22247 are two recent vulnerabilities that have been discovered in two different Firewall products. This blog post will cover both the Sophos Firewall vulnerability (CVE-2022-1040) and the SonicWall Firewall vulnerability (CVE-2022-22247).
Background on CVE-2022-1040 in Sophos Firewalls
On Friday, March 25, 2022, Sophos, a British-based cybersecurity company, disclosed a critical authentication bypass vulnerability impacting Sophos Firewall, which was discovered by a security researcher using Sophos’ bug bounty program. This vulnerability affects versions up to and including 18.5 MR3 (18.5.3) and could lead to remote code execution. Assigned CVE-2022-1040 vulnerability ID with the 9.8 – Critical, CVSS (Common Vulnerability Scoring System) V3 score; this vulnerability was found in the User Portal and Webadmin interfaces of Sophos Firewall. In order for a threat actor to exploit this vulnerability, WAN access must be enabled for these portals.
Affected Version by CVE-2022-1040
Sophos has released hotfixes for both supported and end-of-life versions of affected products on March 23 and March 24, ahead of disclosing the vulnerability.
|
Hotfixed Supported Versions |
Hotfixed Unsupported / EOL Versions |
|
|
Recommendations for CVE-2022-1040
Arctic Wolf strongly recommends updating and verifying the firmware patch is applied. For security practitioners who are not able to apply the patch, Sophos has also detailed a workaround, by disabling WAN access to the web consoles.
Recommendation #1: Verify Hotfix Installation
Sophos has a support document detailing a command to check if the hotfix is applied from a shell here: https://support.sophos.com/support/s/article/KB-000043853
Recommendation #2: Update Sophos Firewall Firmware
If the verification of the patch from the above recommendation fails (“Hotfix isn’t applied”) Sophos has detailed the steps to update your Firmware version.
Background on CVE-2022-22247 – SonicWall Firewalls
On Thursday, March 24, SonicWall, Security hardware manufacturer, published a security advisory to address a critical vulnerability – CVE-2022-22247 – in the SonicOS security operating system that allows denial of service (DoS) attacks and could lead to remote code execution (RCE). The security flaw is a stack-based buffer overflow in SonicOS via an HTTP request allowing a remote unauthenticated attacker to cause Denial of Service (DoS) or potentially execute code in the firewall. This vulnerability only impacts the web management interface in TZ Series next-generation firewalls (NGFW), Network Security Virtual (NSv Series), and Network Security services platform (NSsp); the SonicOS SSLVPN interface is not affected.
The SonicWall Product Security Incident Response Team (PSIRT) says there are no reports of public proof-of-concept exploits, and it found no evidence of exploitation in the wild. Patches or hotfixes are available for all affected products.
CVE-2022-22247 vulnerability id has been reserved but not assigned a score yet.
Affected Version by CVE-2022-22247
The SonicWall appliances below are impacted by CVE-2022-22247 vulnerability.
|
Impacted Platforms |
Impacted Version |
Fixed Version |
|
TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700, NSsp 11700, NSsp 13700, NSv 270, NSv 470, NSv 870 |
7.0.1-5050 and older |
7.0.1-5051 and higher |
|
NSsp 15700 |
7.0.1-R579 and older |
Mid-April (Hotfix build 7.0.1-5030-HF-R844) |
|
NSv 10, NSv 25, NSv 50, NSv 100, NSv 200, NSv 300, |
6.5.4.4-44v-21-1452 and earlier |
6.5.4.4-44v-21-1519 and higher |
Recommendations for CVE-2022-22247
Arctic Wolf strongly recommends organisations who are using impacted firewalls, follow the guidance provided by either patching or implementing the available workarounds.
Recommendation #1: Patch Affected Firewalls Products
Apply applicable ‘Fixed Version’ patch, from the table above, to the affected SonicWall products.
Recommendation #2: Implement Vendor Provided Workarounds
Until the appropriate patches can be applied, SonicWall PSIRT strongly recommends that administrators limit SonicOS management access to trusted sources and/or disable management access from untrusted internet sources. The workarounds below detail how to modify the existing SonicOS Management access rules (SSH/HTTPS/HTTP Management). This will only allow management access from trusted source IP addresses.
- Suggested tips when allowing access to SonicWall web management
- How to restrict Admin access to the device
References
1. Resolved RCE in Sophos Firewall (CVE-2022-1040)
3. Device Access – Sophos Firewall (CVE-2022-1040)
4. Service and Support(CVE-2022-1040) – KB-000043853
5. SonicWall CVE-2022-22274 Advisory
6. SonicWall Knowledge Base Article on Vulnerability (CVE-2022-22274)
