CVE-2022-22274
📋 TL;DR
CVE-2022-22274 is a critical stack-based buffer overflow vulnerability in SonicOS firewalls that allows remote unauthenticated attackers to trigger denial of service or potentially execute arbitrary code via specially crafted HTTP requests. This affects organizations using SonicWall firewall appliances with vulnerable firmware versions. The vulnerability is remotely exploitable without authentication, making it particularly dangerous.
💻 Affected Systems
- SonicWall NSv Series
- SonicWall TZ Series
- SonicWall NSa Series
- SonicWall NSsp Series
📦 What is this software?
Sonicos by Sonicwall
Sonicos by Sonicwall
Sonicosv by Sonicwall
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete firewall compromise, lateral movement into protected networks, and persistent backdoor installation.
Likely Case
Denial of service causing firewall crashes and network disruption, potentially followed by limited code execution for information gathering.
If Mitigated
Firewall crashes requiring manual reboot, but no persistent compromise if proper network segmentation and monitoring are in place.
🎯 Exploit Status
Exploitation requires sending a specially crafted HTTP request to the firewall management interface. Multiple proof-of-concept exploits are publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: SonicOS 7.0.1-5051 and later
Vendor Advisory: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0003
Restart Required: Yes
Instructions:
1. Log into SonicWall firewall management interface. 2. Navigate to System > Settings > Firmware & Backups. 3. Download and install SonicOS 7.0.1-5051 or later. 4. Reboot the firewall after installation completes.
🔧 Temporary Workarounds
Disable HTTP Management
allDisable HTTP-based management access to reduce attack surface
Navigate to System > Administration > Management > Management Interface Settings and disable HTTP
Restrict Management Access
allLimit management interface access to trusted IP addresses only
Navigate to System > Administration > Management > Management Access and configure IP restrictions
🧯 If You Can't Patch
- Implement strict network segmentation to isolate firewall management interfaces
- Deploy network-based intrusion prevention systems with signatures for this CVE
🔍 How to Verify
Check if Vulnerable:
Check SonicOS version via web interface: System > Status > System Status or CLI: show versionCheck Version:
show versionVerify Fix Applied:
Verify SonicOS version is 7.0.1-5051 or later and check for successful patch installation in System Logs📡 Detection & Monitoring
Log Indicators:
- Multiple HTTP requests with abnormal length or patterns
- Firewall crash/reboot events
- Buffer overflow error messages in system logs
Network Indicators:
- HTTP requests with unusually long headers or parameters to firewall management IP
- Traffic patterns indicating exploitation attempts
SIEM Query:
source="sonicwall" AND (event_type="crash" OR message="*buffer*overflow*" OR message="*CVE-2022-22274*")