The security hole, identified as CVE-2022-22274 (CVSS 9.4), is a stack-based buffer overflow bug that affects SonicOS. A remote, unauthenticated attacker can leverage this flaw to submit crafted HTTP requests to create a denial-of-service (DoS) or execute code in the firewall. Over 30 SonicWall appliances running software versions 7.0.1-5050 and older, 7.0.1-R579 and older, and 6.5.4.4-44v-21-1452 and earlier are affected by the vulnerability. SonicWall has released software versions 7.0.1-5051 and 6.5.4.4-44v-21-1519 to patch the problem. A hotfix for the NSsp 15700 firewall will be available in mid-April, according to the company. Limiting SonicOS administration access to trusted IP addresses is a mitigation option for customers who can’t implement the available updates right away. To do so, you’ll need to change the SonicOS management access rules (SSH/HTTPS/HTTP Management). “Continue with the temporary mitigation to avoid exploitation for NSsp 15700, or contact the SonicWall support team for a hotfix firmware” (7.0.1-5030-HF-R844). “An official firmware release with essential patches for the NSsp15700 is expected to be available in mid-April 2022,” according to SonicWall. SonicWall claims that it is unaware of this vulnerability being actively exploited in the wild, and that no proof-of-concept (PoC) code aimed at the flaw is publicly available.
