ºÚÁÏÉç

CVE-2022-1040 and CVE-2022-22247 are two recent vulnerabilities that have been discovered in two different Firewall products. This blog post will cover both the Sophos Firewall vulnerability (CVE-2022-1040) and the SonicWall Firewall vulnerability (CVE-2022-22247).

Background on CVE-2022-1040 in Sophos Firewalls

On Friday, March 25, 2022, Sophos, a British-based cybersecurity company, disclosed a critical authentication bypass vulnerability impacting Sophos Firewall, which was discovered by a security researcher using Sophos’ bug bounty program. This vulnerability affects versions up to and including 18.5 MR3 (18.5.3) and could lead to remote code execution. Assigned CVE-2022-1040 vulnerability ID with the 9.8 – Critical, CVSS (Common Vulnerability Scoring System) V3 score; this vulnerability was found in the User Portal and Webadmin interfaces of Sophos Firewall. In order for a threat actor to exploit this vulnerability, WAN access must be enabled for these portals.

Affected Version by CVE-2022-1040

Sophos has released hotfixes for both supported and end-of-life versions of affected products on March 23 and March 24, ahead of disclosing the vulnerability.

Recommendations for CVE-2022-1040

Arctic Wolf strongly recommends updating and verifying the firmware patch is applied. For security practitioners who are not able to apply the patch, Sophos has also detailed a workaround, by disabling WAN access to the web consoles.

Recommendation #1: Verify Hotfix Installation

Sophos has a support document detailing a command to check if the hotfix is applied from a shell here:

Recommendation #2: Update Sophos Firewall Firmware

If the verification of the patch from the above recommendation fails (¡°Hotfix isn¡¯t applied¡±) Sophos has detailed the steps to update your Firmware version.

Background on CVE-2022-22247 ¨C SonicWall Firewalls

On Thursday, March 24, SonicWall, Security hardware manufacturer, published a security advisory to address a critical vulnerability ¨C CVE-2022-22247 ¨C in the SonicOS security operating system that allows denial of service (DoS) attacks and could lead to remote code execution (RCE). The security flaw is a stack-based buffer overflow in SonicOS via an HTTP request allowing a remote unauthenticated attacker to cause Denial of Service (DoS) or potentially execute code in the firewall. This vulnerability only impacts the web management interface in TZ Series next-generation firewalls (NGFW), Network Security Virtual (NSv Series), and Network Security services platform (NSsp); the SonicOS SSLVPN interface is not affected.

The SonicWall Product Security Incident Response Team (PSIRT) says there are no reports of public proof-of-concept exploits, and it found no evidence of exploitation in the wild. Patches or hotfixes are available for all affected products.

CVE-2022-22247 vulnerability id has been reserved but not assigned a score yet.

Affected Version by CVE-2022-22247

The SonicWall appliances below are impacted by CVE-2022-22247 vulnerability.

Recommendations for CVE-2022-22247

Arctic Wolf strongly recommends organizations who are using impacted firewalls, follow the guidance provided by either patching or implementing the available workarounds.

Recommendation #1: Patch Affected Firewalls Products

Apply applicable ¡®Fixed Version¡¯ patch, from the table above, to the affected SonicWall products.

Recommendation #2: Implement Vendor Provided Workarounds

Until the appropriate patches can be applied, SonicWall PSIRT strongly recommends that administrators limit SonicOS management access to trusted sources and/or disable management access from untrusted internet sources. The workarounds below detail how to modify the existing SonicOS Management access rules (SSH/HTTPS/HTTP Management). This will only allow management access from trusted source IP addresses.

References

1.?

2.?

3.?

4.?

5.?

6.?

7.?

8.?