CVE-2022-50695
📋 TL;DR
This vulnerability allows unauthenticated attackers to abuse network diagnostic scripts (ping.php, traceroute.php, dns.php) in SOUND4 products to launch ICMP flood attacks against arbitrary external hosts. It affects SOUND4 IMPACT, FIRST, PULSE, and Eco systems running version 2.x, potentially enabling network-based denial-of-service attacks.
💻 Affected Systems
- SOUND4 IMPACT
- SOUND4 FIRST
- SOUND4 PULSE
- SOUND4 Eco
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could use vulnerable systems as amplifiers for large-scale ICMP flood attacks against critical infrastructure, causing widespread network disruption and potential service outages.
Likely Case
Attackers will use vulnerable systems to launch ICMP flood attacks against specific targets, causing network degradation or denial-of-service for victim systems.
If Mitigated
With proper network segmentation and egress filtering, impact is limited to internal network disruption rather than external attack amplification.
🎯 Exploit Status
Exploitation requires only HTTP requests to vulnerable endpoints with target parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified
Vendor Advisory: https://www.sound4.com/
Restart Required: No
Instructions:
Check vendor website for security updates. No specific patch version is documented in public sources.
🔧 Temporary Workarounds
Block access to vulnerable scripts
allRestrict HTTP access to ping.php, traceroute.php, and dns.php scripts
# Example for Apache: RewriteRule ^/(ping|traceroute|dns)\.php$ - [F]
# Example for Nginx: location ~ ^/(ping|traceroute|dns)\.php$ { deny all; }
Implement authentication
allRequire authentication for all administrative and diagnostic interfaces
# Configure web server authentication for affected directories
🧯 If You Can't Patch
- Network segmentation: Isolate affected systems in separate VLANs with strict egress filtering
- Implement rate limiting and monitoring for ICMP traffic from affected systems
🔍 How to Verify
Check if Vulnerable:
Test if http://[target]/ping.php?host=[external_ip] returns ICMP response without authenticationCheck Version:
Check system documentation or web interface for version informationVerify Fix Applied:
Verify scripts are no longer accessible or require authentication, and test ICMP flood attempts fail📡 Detection & Monitoring
Log Indicators:
- Repeated HTTP requests to ping.php, traceroute.php, or dns.php with external IP parameters
- Unusual ICMP traffic patterns from affected systems
Network Indicators:
- High volume of ICMP traffic originating from SOUND4 systems
- ICMP flood patterns targeting external addresses
SIEM Query:
source_ip=[sound4_system] AND (uri_path="/ping.php" OR uri_path="/traceroute.php" OR uri_path="/dns.php")🔗 References
- https://exchange.xforce.ibmcloud.com/vulnerabilities/247948
- https://packetstormsecurity.com/files/170255/SOUND4-IMPACT-FIRST-PULSE-Eco-2.x-ICMP-Flood-Attack.html
- https://www.sound4.com/
- https://www.vulncheck.com/advisories/sound-impactfirstpulseeco-x-icmp-flood-attack-via-network-commands
- https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5728.php
