Reading:
SonicWall Released Hotfix for Critical SQL Injection Flaw

SonicWall Released Hotfix for Critical SQL Injection Flaw

July 25, 2022

A severe SQL injection vulnerability has been reported by network security vendor SonicWall in their security advisory. It affects the GMS (Global Management System) and Analytics On-Prem products.

 Which SonicWall Products Are Affected?

Product

Affected Versions

Fixed Versions

GMS

9.3.1-SP2-Hotfix1 and earlier versions

9.3.1-SP2-Hotfix-2

Analytics

2.5.0.3-2520 and earlier versions

2.5.0.3-Hotfix-1

How Vulnerability Affects?

The vulnerability, identified as CVE-2022-22280, has a severity score of 9.4 on the CVSS scoring system and is caused by what SonicWall defines as improper neutralization of special elements used in an SQL command might result in an unauthenticated SQL injection. An attacker can create a special request to send it to the compromised application, then run arbitrary SQL commands inside the application database. 

When this vulnerability is exploited, the attacker gains complete control of the compromised application, meaning they gain the ability to read, delete and modify data in the database. 

How to Fix the Vulnerability?

There isn’t a workaround for this vulnerability before the update. However, the potential exploitation can be decreased using a WAF (Web Application Firewall). 

According to the advisory, there have been no published proof-of-concept (PoC) reports, and SonicWall has not received any reports of malicious usage of this issue. 

SonicWall has made deployment instructions available to assist enterprises in updating GMS implementations.