Current State of SonicWall Exposure: Firmware Decryption Unlocks New Insights

This is part two of a three-part series on SonicWall firewalls. See part one for a deep dive into breaking the encryption protecting SWI-formatted firmware. In this second part, we survey the current state of SonicWall appliances on the public internet.

Justification

At Bishop Fox, we pride ourselves on keeping our customers one step ahead of malicious adversaries. Part of what we do to stay on the cutting edge is invest in research that helps us better understand the threat landscape our customers face. The fact is, when it comes to gaining a foothold in a network, edge security devices, and specifically VPN appliances, continue to be an easy target for attackers. In 2024 alone, we’ve seen targeted attacks against appliances from Check Point, Cisco, Ivanti, Fortinet, Palo Alto, Juniper, and SonicWall (just to name a few).

Our customers also tend to be customers of these vendors, so we regularly assess the security of their products. It is our goal to know what security devices our customers have guarding their perimeters, how up-to-date they are, whether they are affected by known vulnerabilities, and how attractive they look to attackers. Forewarned is forearmed, so we strive to protect our customers with best-in-class intelligence.

Impetus

Our current focus on SonicWall was driven by a few factors. In February, SonicWall released an advisory describing a high-severity authentication bypass affecting the SSL VPN component of several firewall appliances. This was the first time a virtual machine appliance (NSv) running SonicOSX was in-scope for a significant vulnerability. In July, another advisory was published, this time a high-severity authentication bypass affecting both the SSL VPN and management components. That was quickly followed by a critical-severity heap overflow published in August.

Up to that point, most of the existing research on SonicWall had focused on the previous generation of firmware, SonicOS. With the release of series 7 appliances and firmware, SonicWall made significant changes to the underlying operating system as well as its packaging and distribution. SonicOSX also brought changes to the method of encryption used to protect the firmware images from hackers and reverse engineers.

Because of the new vulnerabilities, and the knowledge gap around recent firmware, we decided it was time to roll up our sleeves and dive into SonicOSX. The release of virtual machine images with the new OS, which didn’t happen until version 7.1.1, gave us the key we needed to reverse-engineer the encryption and gain access to the underlying file system (more on this to come in part 3 of this blog series).

Once we had full access to the SonicOSX file system, we were able to develop fingerprinting techniques to remotely identify specific operating system versions. As long as a device exposes its SSL VPN or management interface to the internet, we can now assess that device’s security posture with much higher confidence than we previously had.

Background

Given this new fingerprinting capability, we wanted to answer the question, “What is the current state of SonicWall firewall security on the public internet?” The last time we surveyed SonicWall devices, we specifically looked for ones impacted by CVE-2022-22274 and CVE-2023-0656 (and we found over 178,000 of them). In that survey, our fingerprinting capability was much less precise, and so we focused instead on testing specifically for those vulnerabilities.

This time around, armed with improved capabilities, we took the opportunity to get a broader view by examining the distribution of SonicOS and SonicOSX (henceforth SonicOS/X) versions across the internet. We were also able to use that data to infer which devices might be end-of-life or affected by a wide variety of known vulnerabilities. It is important to note that what we are presenting here is limited to SonicWall firewalls that have at least one interface publicly exposed, which we assume represents only a small slice of the appliances currently in use.

Without further ado, let’s crunch some numbers!

Exposure Analysis

Our scan identified a total of 430,363 unique targets (IP address and port combinations) with SonicOS/X login pages exposed on the public internet. Of these, the majority had both the management and SSL VPN interfaces accessible, while the rest only exposed one interface.

It’s worth pointing out here that the management interface on a firewall should never be publicly exposed, as this presents unnecessary risk. The SSL VPN interface, although designed to provide access to external clients over the internet, should ideally be protected by source IP address restrictions. Any exposure presents an additional attack surface for a malicious actor.

If we break down the exposures by major version (which SonicWall uses interchangeably with “series”), we start to get a sense of adoption rates for the different hardware series that have been released over time. At just under 40%, the newest series 7 has significant adoption, but the previous series 6 remains more prevalent at nearly 50%. Series 5, which has reached the end of support for all but one model, maintains a notable presence, and even series 4, which is completely out of support, still has a few hundred targets publicly accessible. The remaining 3% of targets could not be clearly identified.

Next, we dial up the precision a little bit to examine the distribution of version groups. For series 4, 5, and 6, SonicWall groups its versions by the patch level (as in version Major.Minor.Patch), while it groups series 7 versions at the minor level (as in version Major.Minor).

This is important to understand when scoping vulnerabilities – for example, if SonicWall releases an advisory stating that a vulnerability affects version 6.5.3.4 and earlier, releases from version 6.5.3.0 through 6.5.3.4 are included, but versions belonging to other groups, such as 6.2.7.0, are not affected. For series 7, an advisory impacting versions 7.1.2 and earlier would include 7.1.0 but not 7.0.1.

The following two charts (Figure 2 and Figure 3) illustrate the prevalence of version groups exposed on the internet. Note that, by increasing the precision, the number of “unknown” devices also increased – this is due to the fact that we could not clearly identify them as belonging to a single version group at that level of precision (including all series 4 devices).

The primary takeaway from this view (Figure 2 - Version Group Distribution (Linear)) is that the vast majority of identifiable targets are running a firmware release that is somewhere within the newest three version groups. To get a clearer view of the rest of the groups, we can plot the same data on a logarithmic scale.

This view (Figure 3 - Version Group Distribution (Logarithmic)) reveals a tendency among older series 6 models to run firmware within version groups 6.2.7 and 6.5.1, while series 5 tends towards groups 5.8.1 and 5.9.0. Of course, we can also see that a wide range of legacy versions are still in use.

Further down, we’ll take a closer look at the security of these versions, but first, let’s zoom in even further and see how precise our version detection can get.

This chart (Figure 4 - Series 7 Release Distribution) shows the distribution of specific releases among series 7 exposures, to the greatest degree of precision possible for each target. Wherever you see an “x” in the version string, that indicates a range of possible versions, e.g., “7.1.1-x” means “we know this target is running version 7.1.1, but we can’t confidently identify which release it is.” Ranges such as this are colored gray for easier identification; the light blue bars indicate the current release in each version group (7.0 and 7.1).

This view (Figure 4 - Series 7 Release Distribution) primarily tells us two things: that a high proportion of series 7 appliances are running the latest available firmware release within their version groups (7.0.1-5161 and 7.1.2-7019), and that each version group also has a high proportion of devices running a few releases behind (7.0.1-5119 and 7.1.1-7051). In the case of the 7.0 group, the number lagging behind is slightly higher than those keeping current. We also see that there is a broader distribution of releases exposed within the 7.0 group than the 7.1 group. One curious outlier is a batch of almost 3,300 targets running version 7.0.0-414, released in December 2020 only for the NSsp 15700 appliance.

Next, let’s look at the same data for series 6.

The first thing that is apparent on this chart (Figure 5 - Series 6 Release Distribution) is a much lower overall precision, which is down to the differences in fingerprinting techniques that we used for series 7 versus earlier series. Since one range in particular renders most of the other bars invisible, values indicating exact versions are rendered in blue.

The key takeaway from this view is that, by far, the majority of series 6 appliances are running firmware within the (most recent) 6.5.4 version group and, notably, do not fall within the 6.5.4.4-44v-21-x range, which captures all series 6 NSv (virtual machine) releases. We also know those identified in the 6.5.4.x range do not fall within the 6.5.4.15-x range (which includes the two newest releases, 6.5.4.15-116n and 6.5.4.15-117n), so what we can deduce about the largest proportion of series 6 exposures is that they are running on hardware appliances and are nearly up-to-date, but not current. For most of the other series 6 version groups, the data is insufficient for us to say with confidence how current the versions are.

Series 5 continues the trend of decreasing precision.

This view (Figure 6 - Series 5 Release Distribution) primarily tells us that most series 5 exposures are in the 5.9.1 and 5.9.2 version groups (inferred from the high proportion in the 5.9.x range, excluding the 5.9.0.x range), but we can’t distinguish between them with any confidence, so they may or may not be running current firmware. It is worth pointing out that only version 5.9.2.13 is still actively supported within series 5.

Security Analysis

Now that we have an idea of the overall distribution of SonicWall firewall exposures on the internet, we turn to the question, “How secure are these exposed devices?” To answer this, we correlated version groups with two additional metrics: support status and vulnerability status.

First, we look at the proportion of targets that are actively supported by SonicWall versus those that have reached the end of support.

Based on the available data, we can say with confidence that 169,473 exposed devices (39%) are active and 20,710 (5%) are unsupported. We could not identify the remaining 240,180 (56%) with enough precision to be sure of their status – fingerprinting often requires a bit of triangulation, so interpreting the data accurately involves nuance (more on this below).

This information gets a little more interesting once we distribute it by series.

Here we start to see that most of the devices with unknown support status fall within series 5 and 6. Looking at percentages by series may help to explain why.

Now we can see that all series 7 devices are currently active, while series 4 devices are unsupported. Only series 5 and 6 have mixed support status, and for these it is generally only the most recent version within each version group that is under active support.

This should help to clarify why the majority of exposures fall into the “unknown” category here – we can only be sure of a target’s support status if we can uniquely identify the latest version in its group. If the best available precision for that version falls within a range, then all we can do is identify which targets are outside of that range. Still, knowing for certain that over 20,000 firewalls exposed on the internet have reached the end of support is not insignificant.

Lastly, we’ll look at how many devices are affected by high and/or critical vulnerabilities, starting with a view by series (targets impacted by multiple vulnerabilities are categorized according to the one with the highest severity).

The good news from this view (Figure 10 - Vulnerability Status by Series) is that most series 6 devices are unaffected. The bad news is that we can say, with confidence, that the majority of series 7 devices exposed online are impacted by at least one vulnerability of high or critical severity. As we highlighted earlier, a significant proportion of series 7 devices lag behind the current firmware release, and this, unfortunately, is the result.

The view (Figure 11 - Vulnerability Status by Series (Percentage)) by percentage reveals some additional points of interest: series 4 devices, despite being end-of-support, remain unaffected by any published vulnerabilities. Our visibility into series 5 devices is lacking, with the majority of exposures falling in version ranges that don’t give us a clear indication of their vulnerability status.

When it comes to critical vulnerabilities, at least 7% of both series 6 and series 7 devices are impacted, and this leads us to our final graph – the big picture view.

After scanning the internet to identify exposed SonicWall firewalls and their firmware versions, we found 119,503 devices affected by serious vulnerabilities – 25,485 of critical severity and 94,018 of high severity. Impacted devices comprise 28% of confirmed exposures, while 223,333 (52%) remain unaffected (for now). The status of an additional 87,527 devices (20%) could not be determined using our current methodology.

Last time we looked at the state of SonicWall firewall security, we found over 178,000 devices exposed online were vulnerable to CVE-2022-22274 and/or CVE-2023-0656. Fortunately, it looks like that number has come down a bit over the last ten months. Although we didn’t perform the same vulnerability test this time around, based on the versions we see exposed, the count of impacted targets now looks closer to 37,000. As we’ve already seen, however, a new crop of vulnerabilities has already popped up to take the place of those two, and the overall numbers don’t look much better. The message remains the same: patch early and patch often!

Methodology

To identify potential SonicWall firewalls on the internet, we queried Shodan and BinaryEdge for HTTP/S services categorized as “SonicWall,” and received approximately 732,000 unique targets (IP address and port combinations). We scanned these targets with a proprietary script that checked response headers, status codes, and body content at several URL paths to confirm accessibility, validate firewall management and SSL VPN interfaces, and screen out low-interaction honeypots. For those curious, out of the roughly 400,000 confirmed exposures, Shodan and BinaryEdge each contributed about 100,000 unique targets that were not provided by the other service. The remaining 200,000 targets were present in both data sets.

We then analyzed the response data using proprietary techniques to determine the most precise version (or range of versions) of the underlying SonicOS/X firmware possible. As noted in several places above, these techniques had limitations that produced variations in the level of precision to which we could identify the version of any given target. To the best of our ability, we have presented only high-confidence results and indicated ambiguity where appropriate.

To determine support status, we correlated information from SonicWall’s product lifecycle tables with the firmware versions listed in the Download Center at mysonicwall.com. To determine vulnerability status, we reviewed all SonicWall advisories affecting next-generation firewalls with critical, high, or medium severity. We enumerated impacted versions for each advisory (accounting for version groups as described in “Exposure Analysis” above) and consolidated the impacted versions into sets based on the highest-severity vulnerability affecting each. Interesting to note is that all the medium-severity impacts were overruled by high-severity impacts.

Once we had mapped out which versions were associated with which support status and vulnerability status, we used the best available precision for each target to classify it appropriately, then aggregated the results. One limitation that should be noted is that some vulnerabilities only affect specific appliance models, and our fingerprinting techniques did not identify models, so it is possible that some targets may not be impacted despite having a version within a vulnerable range. Our sense is that this has a minimal impact on our results, as there tends to be high correlation between versions and models (i.e. each model can only run a limited set of versions, and models with similar version support tend to show up in the same advisories).

Conclusion

Overall, the results of our internet-wide survey tell us that the state of SonicWall security, while showing signs of progress, still faces significant challenges. The simple fact that over 430,000 firewall appliances are publicly accessible is cause enough for concern, but when you add that more than half are running on outdated hardware, and more than a quarter are affected by serious vulnerabilities, the big picture looks rather worrisome.

The bright spot here is that we have seen evidence that the majority of devices are being patched over time (as indicated by the decline in targets impacted by CVE-2022-22274 and CVE-2023-0656). The problem seems to be that the rate of patching is not keeping up with the rate of new vulnerabilities. It bears repeating: patch early and patch often.

In light of the Zero Day Initiative’s recent announcement of four new upcoming high and critical vulnerabilities affecting SonicWall products, it seems likely that in the coming months admins will be scrambling to find and fix their devices yet again. Customers of Bishop Fox Cosmos can rest assured that we will notify them about affected devices as soon as the next advisory drops (and sometimes sooner), so they know where their weak spots are, can patch immediately, and will be empowered to take further measures to reduce their exposure.

We hope you enjoyed this deep dive into the state of SonicWall security on the internet! Stay tuned for the final part in this blog series, in which we will walk through reverse engineering and decrypting SonicOS/X SIG-formatted firmware (which make up the majority of the available firmware images).