SonicWall has published a hotpatch to fix two SQL injection vulnerabilities impacting the GMS (Global Management System) and Analytics On-Prem products.
CVE-2022-22280 is a critical vulnerability (CVSS 9.4) that results in an Improper Neutralization of Special Elements used in an SQL command in SonicWall GMS.
SonicWall Global Management System (GMS) contains a SQL Injection security vulnerability (CVE-2022-22280).
SonicWall Analytics On-Prem contains SQL Injection security (CVE-2022-22280).
CVE-2022-22280 is a critical vulnerability (CVSS 9.4) that results in an Improper Neutralization of Special Elements used in a SQL command in SonicWall Analytics On-Prem.
SonicWall PSIRT is not aware of active exploitation in the wild. No reports of a proof of concept (PoC) have been made public, and malicious use of this vulnerability has not been reported to SonicWall.
It carries a severity rating of 9.4, categorizing it as “critical”, and is exploitable from the network without requiring authentication or user interaction, while it also has low attack complexity. The vulnerability allows a remote attacker to execute arbitrary SQL queries in the database. The vulnerability exists due to insufficient sanitization of user-supplied data. A remote non-authenticated attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in the database and gain complete control over the affected application.
Considering the widespread deployment of SonicWall GMS and Analytics, which are used for central management, rapid deployment, real-time reporting, and data insight, the attack surface is significant and typically on critical organizations.
Workarounds/Temporary Mitigations
There is no workaround available for the vulnerability. However, the likelihood of exploitation may be significantly reduced by incorporating a Web Application Firewall (WAF) to block SQLi attempts.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.