Staggering number of Sonicwall firewalls are at the risk of RCE attacks, more than 178,000

As Sonicwall is a commonly used firewall in large firms, it is targeted more often than other firewall programs. Hackers keep finding small loop holes in the security patch of the program to exploit the system.

Confidential data is being accessed by using any cracks in the security of the program as a leverage in Sonicwall Firewalls which in turn makes it easier to other users to get an access to confidential data leading to many more malware attacks. This increases the risk factor by tenfold as a result.

After a recent research Cybersecurity researchers at Bishopfox came to a staggering number of 178,000 vulnerable Sonicwall firewalls.

Types of Sonicwall Firewall Vulnerable to RCE Attacks are:

Mainly it is noted that SonicWall NGFW series 6 and 7 have unauthenticated DoS vulnerabilities (CVE-2022-22274CVE-2023-0656), which researchers said could be an exploitive hole that hackers are using for remote access and modification of inbuilt code.  Though, it is also noted that as of now no attacks were found, through this means, however a POC for CVE-2023-0656 is at risk of future attacks as a data recently from BinaryEdge dictates that up to 76% (178,637 of 233,984) of  Sonicwall firewalls is exposed currently which can result in future attacks. This kind of attack could be especially damaging because of the fact that three crashes can lead to a default permanent code state of system. Other than this cybersecurity analysts have given a thorough analysis of “CVE-2022-22274” using Ghidra and BinDiff using different tools for seeing the potential threat to the series.

Some more concerns are coming from the fact that basic key code is producing a diverging effect in HTTP request handling functions. This effect is happening between NSv firmware versions which are and

All of these are leading to immediate patching of the code in these series by Sonicwall developers. The patching essentially deals with the conversion of signed to unsinged symbols. Also, procedural checks for calls are being changed for more fortification especially during second call intake. Other than that the “__snprintf_chk()” is supposed to give an return value equaled to the  characters in the given code which can be seen as a negligible rift in code outcome shown in “snprintf()”.


Vulnerable code change


Patched code change

There is this discrepancy with using maxlen for size_t which is causing integer overflow in case of subtraction from the standard 1024 integer. The developers are writing code with snprintf() which is providing overflown restriction at the time of compiling resulting in differential with __snprintf_chk() causing strlen being set to the highest value. Thus Patched code is adding a check at time interval between snprintf() calls, hereby limiting  the first’s return value under 1024  restoring buffer overflow protection. Other than that as the last measure when the check fails, the second function call is bypassed, canceling the immediate request handling without any change in original calls.

On distinct URI paths, the CVE-2022-22274 and CVE-2023-0656 share the same vulnerability, which could be exploited to crash vulnerable devices.

The researchers are also urging users to perform their own checks for the URI paths of as they share same path on the devices. These can be rectified by users by two main steps for the deployed Sonicwall NGFW devices.

  1. First removal of web management interface immediately and
  2. Secondly, upgradation to the latest version of firmware.

As the overall measure researchers are also prompting users to secure your devices for any DoS attacks.  However as of now remote fingerprinting of Sonicwall is relatively not in practice but in future this could also be a concerns for vulnerable devices for Sonicwall firewall users.