Security Notice: Critical Unauthenticated Stack-Based Buffer Overflow Vulnerability In SonicOS
Description
A stack-based buffer overflow vulnerability in SonicOS via HTTP request allows a remote unauthenticated attacker to cause a Denial of Service (DoS) or potentially results in a code execution in the firewall.
SonicWall's Product Security Incident Response Team (PSIRT) is not aware of active exploitation in the wild. No reports of a proof of concept (PoC) have been made public and malicious use of this vulnerability has not been reported to SonicWall.
SonicWall strongly urges organizations using impacted SonicWall firewalls listed below to follow the provided guidance.
NOTE:
This vulnerability ONLY impacts the SonicOS web management interface. The SonicOS SSLVPN interface is not impacted.
IMPACTED
An unauthenticated stack-based buffer overflow in the SonicOS via HTTP request allows a remote unauthenticated attacker to cause Denial of Service (DoS) or potentially results in code execution in the firewall.
The below SonicWall appliances are impacted by this vulnerability.
| Impacted Platforms | Impacted Version |
| TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSv 270, NSv 470, NSv 870 | 7.0.1-5050 and earlier |
| NSsp 15700 | 7.0.1-R579 and earlier |
| NSv 10, NSv 25, NSv 50, NSv 100, NSv 200, NSv 300, NSv 400, NSv 800, NSv 1600 | 6.5.4.4-44v-21-1452 and earlier |
UNIMPACTED
The following firewall platforms are not impacted.
| Unimpacted Firewall Generation | Unimpacted Platforms |
| SonicWall Gen5 Firewalls | SOHO, TZ100, TZ100W, TZ105, TZ105W, TZ200, TZ200W, TZ205, TZ205W, TZ210, TZ210W, TZ215, TZ215W, NSA220, NSA220W, NSA240, NSA2400, NSA2400MX, NSA250M, NSA250MW, NSA3500, NSA4500, NSA5000, NSAE5500, NSAE6500, NSAE7500, NSAE8500, NSAE8510 |
| SonicWall Gen6 Firewalls | SOHOW, SOHO 250, SOHO 250W, TZ300, TZ300P, TZ300W, TZ350, TZ350W, TZ400, TZ400W, TZ500, TZ500W, TZ600, TZ600P , NSA 2600, NSA3600, NSA4600, NSA5600, NSA6600, SM9200, SM9400, SM9400, SM9600, SM9800, SM10200, SM10400, SM10800, NSsp12400, NSsp12800 |
| SonicWall Gen 6.5 Firewalls | NSa 2650, NSa3650, NSa4650, NSa5650, NSa6650, NSa9250, NSa9450, NSa9650 |
MITIGATIONS
Until the below patches can be applied SonicWall PSIRT strongly recommends that administrators limit SonicOS management access to trusted sources (and/or disable management access from untrusted internet sources) by modifying the existing SonicOS management access rules (SSH/HTTPS/HTTP). This will only allow management access from trusted source IP addresses. Please refer to the following knowledge base articles:
- Suggested tips when allowing access to SonicWall web management
- How to restrict Admin access to the device
RESOLUTION
Apply applicable ‘Fixed Version’ patch to the affected SonicWall products. For NSsp 15700, continue with the temporary mitigation to avoid exploitation or reach out to the SonicWall support team who can provide you with a hotfix firmware (7.0.1-5030-HF-R844). SonicWall expects an official firmware version with necessary patches for NSsp15700 to be available in mid-April 2022.
| Product | Impacted Platforms | Impacted Version | Fixed Version |
| SonicWall Firewalls | TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSv 270, NSv 470, NSv 870 | 7.0.1-5050 and earlier | 7.0.1-5051 and higher |
| SonicWall NSsp Firewall | NSsp 15700 | 7.0.1-R579 and earlier | Mid-April (Hotfix build 7.0.1-5030-HF-R844) |
| SonicWall NSv Firewalls | NSv 10, NSv 25, NSv 50, Nsv 100, NSv 200, NSv 300, NSv 400, NSv 800, NSv 1600 | 6.5.4.4-44v-21-1452 and earlier | 6.5.4.4-44v-21-1519 and higher |
ADDITIONAL RESOURCES