PoC for SonicWall SSL-VPN (CVE-2023-0656) DoS Flaw Published

CVE-2023-0656 PoC
Photo by Sajad Nori on Unsplash

SonicWall’s firewall has been a widely used network security solution for many years, protecting networks from various online threats. However, it was recently discovered that SonicWall’s firewall has a vulnerability that could allow a remote unauthenticated attacker to cause a denial of service (DoS) attack, leading to a crash of the impacted firewall. The vulnerability has been identified as CVE-2023-0656 and has a CVSS score of 7.5, indicating that it is a severe vulnerability. Today, a security researcher from SSD Labs released a proof-of-concept (PoC) exploit code for the CVE-2023-0656 flaw.

The vulnerability only affects the web management interface and not the SonicOS SSLVPN interface. This is due to a stack-based buffer overflow vulnerability in the httpServer function. The vulnerability exists because the function does not check the return result of snprintf  before using it to calculate the maximum length. This means that an attacker can exploit this vulnerability to impact the availability of the target server.

Photo by Sajad Nori on Unsplash

The root cause of the vulnerability lies within the httpServer function. When handling requests to paths that begin with /stats/ or other strings, such as /Security_Services/, the code executes the snprintf logic. The first snprintf prints the method of the request and the path where the request is addressed to. If the path exceeds the size specified in the function call, this size will still be returned by the function, even though the strings are being printed to the buffer accordingly. The next snprintf  function call takes the result returned from the previous snprintf call and subtracts it from 1024. If the result is bigger than 1024, this will lead to having the snprintf being called with a negative value for its length, and as the second argument is unsigned, it would be a very large value instead. This can lead to buffer overflow with arbitrary data, which later leads to the denial of service condition by overflowing the stack canary.

A proof-of-concept (PoC) exploit code for the CVE-2023-0656 vulnerability is available here.

It is crucial for organizations using SonicWall’s firewall to take this vulnerability seriously and apply the appropriate patches to mitigate the risk. SonicWall has released a patch to fix this vulnerability and recommends that users install the patch as soon as possible.