CVE-2023-26095
📋 TL;DR
A vulnerability in Stormshield Network Security (SNS) ASQ component allows remote attackers to cause a denial-of-service crash by sending a specially crafted SIP packet. This affects SNS firewall appliances running vulnerable versions, potentially disrupting network security services.
💻 Affected Systems
- Stormshield Network Security (SNS)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete firewall crash leading to network security bypass, allowing unrestricted traffic flow and potential network compromise.
Likely Case
Denial-of-service causing firewall reboot and temporary network disruption until service restoration.
If Mitigated
Minimal impact with proper network segmentation and monitoring detecting anomalous SIP traffic.
🎯 Exploit Status
Exploitation requires network access to firewall's SIP processing interface. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.3.16 or 4.6.3
Vendor Advisory: https://advisories.stormshield.eu/2023-007/
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download appropriate firmware update from Stormshield portal. 3. Apply update via web interface or CLI. 4. Reboot appliance. 5. Verify version and functionality.
🔧 Temporary Workarounds
Disable SIP Inspection
allTemporarily disable SIP packet inspection in ASQ rules to prevent exploitation.
Navigate to Security Policies > Application Security > Disable SIP inspection rules
Network Segmentation
allRestrict SIP traffic to trusted sources only using firewall rules.
Add firewall rule to allow SIP only from trusted IP ranges
🧯 If You Can't Patch
- Implement strict network ACLs to limit SIP traffic to trusted sources only
- Deploy network monitoring to detect anomalous SIP packets and potential exploitation attempts
🔍 How to Verify
Check if Vulnerable:
Check current firmware version via web interface (System > Information) or CLI command 'show version'Check Version:
show versionVerify Fix Applied:
Confirm version is 4.3.16 or higher for 4.3.x branch, or 4.6.3 or higher for 4.6.x branch📡 Detection & Monitoring
Log Indicators:
- Firewall crash/reboot events
- ASQ component failure logs
- SIP packet processing errors
Network Indicators:
- Unusual SIP traffic patterns
- Malformed SIP packets to firewall interfaces
SIEM Query:
source="stormshield" AND (event_type="crash" OR component="ASQ" OR protocol="SIP")