OpenSSL Infinite Loop Vulnerability CVE-2022-0778 – Impact on SonicWall Edge Appliances (NGFW, SMA) & VPN Clients
First Published:04/12/2022
Last Updated:05/06/2022
- What is OpenSSL and how is it used in SonicWall products?
OpenSSL is an open-source implementation of SSL and TLS protocols. It is a software library for applications to communicate securely. More information about OpenSSL cryptography and tool kit can be found at www.openssl.org.
Several SonicWall products use the OpenSSL library to secure communication to and from the appliance. Examples include secure web management of the appliance, terminating remote access connectivity (e.g., SMA, firewall remote access), decrypting and encrypting secure connections (DPI-SSL). - What is OpenSSL vulnerability CVE-2022-0778?
A vulnerability (CVE-2022-0778) was found in OpenSSL that causes the OpenSSL library to enter an infinite loop causing a denial-of-service (DoS) attack by crafting a certificate that has invalid elliptic curve parameters. Since certificate parsing happens before verification of the certificate signature, any process that parses an externally supplied certificate may lead to a DoS attack. - What is the impact of this vulnerability?
The vulnerability impacts any organization or vendor using vulnerable OpenSSL versions. If a vulnerable SonicWall product(s) parses an externally supplied crafted certificate, then it may lead to a DoS attack. That is, it may exhaust the CPU with 100% usage or may cause web GUI unresponsiveness to users due to triggering an infinite loop by malicious crafted certificate. - Which versions of OpenSSL are impacted?
This issue affects all products, regardless of vendor, using OpenSSL versions 1.0.2, 1.1.1 and 3.0. The vulnerability was fixed in the releases of 1.1.1n and 3.0.2 on March 15, 2022. - What is the severity of this vulnerability?
It is a ‘High’ severity vulnerability with a CVSS base score of 7.5. A successful attack can result in the appliance becoming unresponsive. - Which SonicWall products are impacted by the OpenSSL vulnerability?
SonicWall is investigating all its product lines to determine which products and cloud services may be affected by this vulnerability. For the latest updates, please check SonicWall OpenSSL advisory (SNWLID-2022-0002). - Did SonicWall release IPS signatures to protect its customers?
SonicWall released the following IPS signatures to protect vulnerable systems. These signatures are automatically applied via its automated signature deployment with a valid IPS subscription. SonicWall Capture Labs published its research about this vulnerability in a recent SonicAlert.- IPS: 15407 OpenSSL BN_mod_sqrt Function DoS 1
- IPS: 15491 OpenSSL BN_mod_sqrt Function DoS 2
- IPS: 15351 OpenSSL BN_mod_sqrt Function DoS 3
- IPS: 15755 OpenSSL BN_mod_sqrt Function DoS 4
- What is the impact of this vulnerability on SonicWall firewall appliances?
The impact is high. The target appliance will become unresponsive if a DoS attack is successful.
All Gen 5, Gen 6, Gen 6.5 and Gen 7 series physical and virtual firewalls are affected. Please refer to table below for complete details. SonicWall recommends applying the patches immediately on affected firewall appliances as patches become available.Firewall Generation Models Vulnerable OpenSSL
Version Used?Impact/Recommendation Fixed Version Gen 5 Series SOHO
TZ100/W
TZ200/W
TZ210/W
NSA 220/W
NSA 250M/250M-W
NSA 2400/MX/3500/4500/5500
NSA E5500/6500/6500/8500/8510Yes HIGH
SonicWall recommends applying the patch on affected firewalls immediately.SonicOS 5.9.2.14 (SOHO)
Only the listed Gen 5 SOHO is currently supported. SonicWall is not releasing patches for other impacted EOL Gen 5 products listed. Please refer to SonicWall product life tables for more information.Gen 6/6.5 Series SOHO-W, SOHO-250
TZ300/W; TZ350/W
TZ400/W
TZ500/W
TZ600
NSa 2600/2650/3600/3650/4600/4650/5600/5650/6600/6650
SuperMassive 9200/9400/9600/9800
NSa 9250/9450/9650
NSsp 12400/12800
NSv 10/25/50/100/200/400/800/1600 (ESX, KVM, HYPER-V, AWS, Azure)Yes HIGH
SonicWall recommends applying the patch on affected firewalls immediately.SonicOS 6.5.4.10-95n Gen 7 Series TZ270/W
TZ370/W
TZ470/W
TZ570/W
TZ670
NSa 2700/3700/4700/5700/6700
NSsp 10700/11700/13700/15700
NSv 270/470/870 (ESX, KVM, HYPER-V, AWS, Azure)Yes HIGH
SonicWall recommends applying the patch on affected firewalls immediately.SonicOS 7.0.1-5052
For assistance upgrading the firmware on your firewall, please reference the following KB article: - What is the impact of this vulnerability on SonicWall Secure Mobile Access (SMA) appliances?
The impact is high. A successful attack can result in the appliance becoming unresponsive.
All SMA 100 and 1000 series physical and virtual appliances are affected. Please refer to table below for specific models. SonicWall recommends applying the patches immediately on affected SMA 100 and/or SMA 1000 series appliances as patches become available.Product Models Vulnerable OpenSSL Used? Impact/Recommendation Fixed Version SMA 100 Series SMA 210/410
SMA 500v (ESX, KVM, Hyper-V, AWS, Azure)Yes HIGH
SonicWall recommends applying the patch on affected SMA appliances immediately.Available Late April 2022 SMA 1000 Series SMA 6200/7200/6210/7210
SMA 8200v
(ESX, KVM, Hyper-V, AWS, Azure)Yes HIGH
SonicWall recommends applying the patch on affected SMA appliances immediately.
12.4.1-02965
12.1.0-07081
For assistance upgrading the firmware on your SMA appliance, please reference the following KB articles: - What is the impact of this vulnerability on SonicWall VPN/remote access clients?
Low. SonicWall will be releasing patches for affected client versions. Please reference the below table for details.Client Type Vulnerable OpenSSL Used? Impact Additional Comments Fixed Version Global VPN Client (GVC) No N/A N/A N/A Connect Tunnel Version 12.1 & Earlier No N/A Connect Tunnel version 12.1 and earlier do not use OpenSSL and are not vulnerable. N/A Connect Tunnel Version 12.4 Yes Low
Low impact of DoS on client workstation. When a vulnerable workstation is attacked, the endpoint will exhibit high CPU usage.Exploitation requires the client to actively connect to a malicious device, rather than the SMA 1000 appliance. Availability Mid-May 2022 NetExtender for Linux Yes Low
Low impact of DoS on client workstation. When a vulnerable workstation is attacked, the end point will exhibit high CPU usage.Linux clients prior to 10.2.839 are impacted. OpenSSL has been upgraded remediating CVE-2022-0778 in version 10.2.839. Patched NetExtender Linux (32 and 64 bit) version 10.2.839 is available for download on mysonicwall.com. NetExtender for Windows
(All Versions)No N/A N/A N/A Mobile Connect for iOS Yes Low
Low impact of DoS on client workstation. When a vulnerable workstation is attacked, the end point will exhibit high CPU usageiOS clients prior to 5.0.11 are impacted. OpenSSL has been upgraded to 1.1.1n, remediating CVE-2022-0778, in the following release: 5.0.11. Patched Mobile Connect is available for download in iOS App Store. Mobile Connect for MacOS Yes Low
Low impact of DoS on client workstation. When a vulnerable workstation is attacked, the end point will exhibit high CPU usage.MacOS clients prior to 5.0.10 are impacted. Availability Mid-May 2022 Mobile Connect for Android and ChromeOS Yes Low
Low impact of DoS on client workstation. When a vulnerable workstation is attacked, the end point will exhibit high CPU usage.Android clients prior to 5.0.18 are impacted. Availability Mid-May 2022 - Are there any temporary workarounds/mitigation available?
To reduce the risk of attack, SonicWall recommends enabling the following IPS signatures on SonicWall firewall appliances:- IPS: 15407 OpenSSL BN_mod_sqrt Function DoS 1
- IPS: 15491 OpenSSL BN_mod_sqrt Function DoS 2
- IPS: 15351 OpenSSL BN_mod_sqrt Function DoS 3
- IPS: 15755 OpenSSL BN_mod_sqrt Function DoS 4
Customers are recommended to upgrade to relevant patch releases as they become available. For the latest updates on the advisory and recommended patch releases, please check SonicWall OpenSSL advisory.
Additional Resources
- SNWLID-2022-0002
- CVE-2022-0778
- KB Article: ‘How can I upgrade SonicOS Firmware?’
- KB Article: 'How to upgrade firmware on SMA 100 series appliances'
- KB Article: 'How to upgrade firmware on SMA 1000 series appliance'
