SonicWall (SonicWall Firewall) Family Security Update Advisory (CVE-2022-22274, CVE-2023-0656)
Overview
SonicWall(https://www.sonicwall.com) has released a security update that fixes vulnerabilities in its products. Users of affected products are advised to update to the latest version.
Affected Products
The vulnerability only affects “Web Management” in SonicOS and does not affect the SonicOS SSLVPN interface.
CVE-2022-22274
| Product Name | Affected Platforms | Affected Versions | Updated Version |
|---|---|---|---|
| SonicWall Firewalls | TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSv 270, NSv 470, NSv 870 | 7.0.1-5050 and below | 7.0.1-5051 and later |
| SonicWall NSsp Firewall | NSsp 15700 | 7.0.1-R579 and earlier | Hotfix build 7.0.1-5030-HF-R844 |
| SonicWall NSv Firewalls | NSv 10, NSv 25, NSv 50, NSv 100, NSv 200, NSv 300, NSv 400, NSv 800, NSv 1600 | 6.5.4.4-44v-21-1452 and earlier | 6.5.4.4-44v-21-1519 |
CVE-2023-0656
| Product Name | Platforms Affected | Affected Versions | Updated Version |
|---|---|---|---|
| SonicWall Firewalls | TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSv 270, NSv 470, NSv 870 | 7.0.1-5095 and below | 7.0.1-5111 and later |
| SonicWall NSsp Firewall | NSsp 15700 | 7.0.1-5083 or less | 7.0.1-5100 and later |
| SonicWall NSv Firewalls | NSv 10, NSv 25, NSv 50, NSv 100, NSv 200, NSv 300, NSv 400, NSv 800, NSv 1600 | 6.5.4.4-44v-21-1551 and later | TBD |
Resolved Vulnerabilities
CVE-2022-22274
A stack buffer overflow vulnerability in SonicOS. This vulnerability could allow an unauthenticated, remote attacker to cause the affected firewall product to crash, resulting in a denial of service, or potentially execute code on the firewall.
CVE-2023-0656
A stack buffer overflow vulnerability in SonicOS. This vulnerability could allow an unauthenticated, remote attacker to cause a crash of the affected firewall product, resulting in a denial of service.
Vulnerability Patches
The following product-specific vulnerability patches were made available in the April 2023 Update. For more information on vulnerability patches, please refer to the “FIXED SOFTWARE” section of the product-specific reference site documentation.
Referenced Sites
[1] https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0003
[2] https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0004