SonicWall has issued solutions for a critical-severity vulnerability in numerous firewall appliances’ web administration interfaces.
The security hole, identified as CVE-2022-22274 (CVSS 9.4), is a stack-based buffer overflow bug that affects SonicOS.
A remote, unauthenticated attacker can leverage this flaw to submit crafted HTTP requests to create a denial-of-service (DoS) or execute code in the firewall.
Over 30 SonicWall appliances running software versions 7.0.1-5050 and older, 7.0.1-R579 and older, and 220.127.116.11-44v-21-1452 and earlier are affected by the vulnerability.
SonicWall has released software versions 7.0.1-5051 and 18.104.22.168-44v-21-1519 to patch the problem. A hotfix for the NSsp 15700 firewall will be available in mid-April, according to the company.
Limiting SonicOS administration access to trusted IP addresses is a mitigation option for customers who can’t implement the available updates right away. To do so, you’ll need to change the SonicOS management access rules (SSH/HTTPS/HTTP Management).
“Continue with the temporary mitigation to avoid exploitation for NSsp 15700, or contact the SonicWall support team for a hotfix firmware” (7.0.1-5030-HF-R844). “An official firmware release with essential patches for the NSsp15700 is expected to be available in mid-April 2022,” according to SonicWall.
SonicWall claims that it is unaware of this vulnerability being actively exploited in the wild, and that no proof-of-concept (PoC) code aimed at the flaw is publicly available.