CVE-2023-34198
📋 TL;DR
This vulnerability in Stormshield Network Security (SNS) firewalls occurs when a Network object created from an inactive DHCP interface is used in filtering rules, causing the firewall to treat it as an 'any' type object. This can lead to unintended access control bypasses. Organizations using affected SNS firewall versions are impacted.
💻 Affected Systems
- Stormshield Network Security (SNS)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass firewall filtering rules entirely, gaining unauthorized network access to protected systems or services.
Likely Case
Incorrect firewall rule enforcement allowing unintended network traffic through due to misconfigured Network objects.
If Mitigated
Proper network segmentation and defense-in-depth controls limit potential lateral movement even if filtering is bypassed.
🎯 Exploit Status
Exploitation requires specific network configuration conditions and knowledge of affected Network objects.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: SNS 3.7.37, 3.11.25, 4.3.19, 4.6.6, or 4.7.1
Vendor Advisory: https://advisories.stormshield.eu/2023-019
Restart Required: Yes
Instructions:
1. Download appropriate patch version from Stormshield support portal. 2. Backup current configuration. 3. Apply patch via SNS web interface or CLI. 4. Reboot firewall as required. 5. Verify patch installation and configuration integrity.
🔧 Temporary Workarounds
Remove DHCP-based Network Objects
allIdentify and remove Network objects created from DHCP interfaces from all filtering rules.
Check via SNS web interface: Configuration > Network > Objects
Remove affected objects from all firewall rules
Use Static IP Objects
allReplace DHCP-based Network objects with static IP address objects in filtering rules.
Create new static IP objects in Configuration > Network > Objects
Update firewall rules to use static objects
🧯 If You Can't Patch
- Audit all Network objects and remove any created from DHCP interfaces from filtering rules
- Implement additional network segmentation controls and monitor for unexpected traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check SNS version via web interface (Dashboard > System > Information) or CLI command 'show version'. Verify if using Network objects from DHCP interfaces in filtering rules.Check Version:
show versionVerify Fix Applied:
After patching, verify version shows patched release and test that Network objects from DHCP interfaces now behave correctly in filtering rules.📡 Detection & Monitoring
Log Indicators:
- Unexpected firewall rule matches
- Traffic allowed that should be blocked according to configured rules
- DHCP interface state changes
Network Indicators:
- Traffic flows that bypass expected firewall restrictions
- Unusual network connections from unexpected sources
SIEM Query:
firewall_action=allow AND (rule_name="*DHCP*" OR object_type="DHCP") AND NOT expected_traffic