Coalition Security Labs has been monitoring the events surrounding the disclosure of a proof-of-concept (POC) impacting SonicWall's next-generation firewall (NGFW) series 6 and 7 devices. 

On January 15, 2024, security consulting firm Bishop Fox confirmed that POCs were available for two previously disclosed SonicWall vulnerabilities, CVE-2022-22274 and CVE-2023-0656. Bishop Fox researchers scanned SonicWall firewalls with administrative panels exposed to the public internet and found "76% (178,637 of 233,984) are vulnerable to one or both issues." The vulnerabilities were discovered using BinaryEdge, the same scanning technology that underpins Coalition Control™, our cyber risk management platform.

Coalition Security Labs immediately began assessing policyholders* for publicly available SonicWall devices meeting the POC criteria, and Coalition's Security Support Center (SSC) began proactive outreach to policyholders.

What happened?

SonicWall disclosed these vulnerabilities in 2022 and 2023, respectively, but it had not observed any exploitation in the wild. Both vulnerabilities enable a denial-of-service (DoS) attack, which, in SonicOS’s default configuration, allows unauthorized attackers to easily trigger a crash, and causes the device to reboot. After three crashes in a short period of time the device boots into maintenance mode and requires administrative action to restore normal functionality. 

Vulnerability scanners, like Coalition Control, help teams find and address unpatched vulnerabilities in their system. However, if vendors obfuscate the firmware version, administrators lose that capability. SonicWall devices do not allow for discovery of their firmware version, which prevents Coalition Control and other external vulnerability scanners from detecting unpatched systems. 

Coalition Security Labs used Bishop Fox’s POC to identify policyholders running a SonicWall device vulnerable to the attack — but without crashing or restarting the device. SonicWall devices running the following firmwares are considered vulnerable:

• SonicWall versions 7.0.1-5050 and earlier are impacted by CVE-2022-22274

• SonicWall versions 7.0.1-5095 and earlier are impacted by CVE-2023-0656

What can policyholders do?

Coalition advises all policyholders to check their SonicWall devices and ensure they are updated to firmware version 7.0.1-5111 or higher using the patches found in the vendor advisory. We also strongly recommend removing the SonicWall web management interface from the public internet to help mitigate any future vulnerabilities. 

Threat actors routinely scan the internet for exposed management interfaces and panels to gain unauthorized access to corporate networks. Cybersecurity and Infrastructure Security Agency (CISA) guidance on internet-exposed management interfaces further highlights the associated risks.

As a best practice, we recommend businesses sign up for alerts from their firewall manufacturer and implement a regular patch cadence to update the firewall's firmware in a timely manner. Given the critical role firewalls play in perimeter defense, organizations may hesitate to apply a patch as they likely have a low threshold for downtime. 

However, firmware patches often need to be applied sequentially and can cause prolonged downtime when several patches must be applied to remediate a critical vulnerability. When businesses fall behind in their patch cadence, they run the risk of hosting vulnerable devices or running a firmware version no longer supported by the vendor. 

Coalition will continue actively monitoring for risks associated with these two vulnerabilities and send alerts using Coalition Control™. Coalition Control is available for all policyholders, and users can invite their IT team to Control to further support prompt alert reviews and responses.

When in doubt, brokers and policyholders can open a ticket or schedule a call with Coalition's Security Support Center for assistance. 

*Insurance products referenced herein are offered by Coalition Insurance Solutions, Inc. (“CIS”), a licensed insurance producer with its principal place of business in San Francisco, CA (Cal. license #0L76155), acting on behalf of a number of unaffiliated insurance companies. A list of our admitted carriers is available here. Complete license information for CIS is available here. Insurance products offered through CIS may not be available in all states. All insurance products are governed by the terms and conditions set forth in the applicable insurance policy. Please see a copy of your policy for the full terms and conditions. Any information on this communication does not in any way alter, supplement, or amend the terms and conditions of the applicable insurance policy and is intended only as a brief summary of such insurance products. Policy obligations are the sole responsibility of the issuing insurance carrier. The descriptions provided herein are solely for informational purposes and are not to be construed as advice of any kind or the rendering of consulting, financial, legal, or other professional services from Coalition. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information.