CVE-2022-23989
📋 TL;DR
This vulnerability in Stormshield Network Security (SNS) firewalls allows an attacker to cause a denial of service by flooding the SSLVPN service with connections, saturating the loopback interface and blocking almost all network traffic, rendering the firewall unreachable. It affects SNS versions before 3.7.25, 3.8.x through 3.11.x before 3.11.13, 4.x before 4.2.10, and 4.3.x before 4.3.5.
💻 Affected Systems
- Stormshield Network Security (SNS)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete network outage due to firewall becoming unreachable, disrupting all traffic and potentially requiring physical intervention to restore service.
Likely Case
Temporary denial of service affecting network availability, leading to downtime and operational disruption until the firewall recovers or is manually reset.
If Mitigated
Minimal impact if patched or workarounds applied, with potential for brief service degradation but no sustained outage.
🎯 Exploit Status
Exploitation involves sending forged traffic to the SSLVPN service, which is straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.7.25, 3.11.13, 4.2.10, 4.3.5 or later
Vendor Advisory: https://advisories.stormshield.eu/2022-003
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download the appropriate patch from Stormshield support portal. 3. Apply the patch via the firewall management interface. 4. Restart the firewall to activate the fix.
🔧 Temporary Workarounds
Disable SSLVPN Service
allTemporarily disable the SSLVPN service to prevent exploitation, but this may impact remote access functionality.
Use the Stormshield management interface to navigate to VPN > SSL VPN and disable the service.
Rate Limit SSLVPN Connections
allConfigure rate limiting on SSLVPN connections to reduce the impact of connection floods, if supported by the firewall version.
Check Stormshield documentation for specific rate-limiting commands based on your version.
🧯 If You Can't Patch
- Implement network segmentation to isolate the SSLVPN service from untrusted networks.
- Monitor for unusual connection spikes to the SSLVPN service and set up alerts for potential attacks.
🔍 How to Verify
Check if Vulnerable:
Check the firewall version via the management interface or CLI; if it matches the affected version range and SSLVPN is enabled, it is vulnerable.Check Version:
In the Stormshield CLI, use the command: 'show version' or check via the web interface under System > Information.Verify Fix Applied:
After patching, verify the version is updated to a fixed version and test SSLVPN functionality under normal load.📡 Detection & Monitoring
Log Indicators:
- High volume of connection attempts to SSLVPN service in firewall logs
- Log entries indicating loopback interface saturation or traffic blocking
Network Indicators:
- Unusual spike in traffic to the SSLVPN port (default TCP 443)
- Increased latency or packet loss on the firewall interface
SIEM Query:
Example: 'source="stormshield_firewall" AND event_type="connection_flood" AND service="sslvpn"'