Cybersecurity hardware company, SonicWall, recently released a public security notice about a critical SQL injection flaw affecting its GMS (Global Management System) and Analytics On-Prem products.
The flaw, which is tracked as CVE-2022-22280, is given a 9.4 critical rating. With the high capability of damage, this vulnerability has low attack complexity, meaning that anyone with little know-how of SQL injection can pull this off. CVE-2022-22280 can be exploited from the network without user interaction nor does it require any authentication.
“SonicWall PSIRT is not aware of active exploitation in the wild. No reports of a proof of concept (PoC) have been made public, and malicious use of this vulnerability has not been reported to SonicWall,” said SonicWall in the security notice.
SonicWall PSIRT strongly suggests that organizations using the Analytics On-Prem version outlined below should upgrade to the respective patched version immediately.~ SonicWall advisory
Clients using Analytics 18.104.22.168-2520 or earlier and/or GMS 9.3.1-SP2-Hotfix1 or earlier are advised to update to their patched versions, Analytics 22.214.171.124-2520-Hotfix1 and GMS 9.3.1-SP2-Hotfix-2, respectively.
While there are no workarounds for this vulnerability in both affected products, SonicWall advises clients to incorporate a Web Application Firewall (WAF) to protect their web applications from common exploits and vulnerabilities, including SQL injections.
An SQL injection (SQLi) is a well-known, old-school injection attack that has been around for more than 15 years. Threat actors normally use this attack to expose the security gaps in websites. An SQL injection can be done via the use of automated tools, such as Havij, or by manually inserting specific SQL codes in forms or text boxes, such as on a website’s search box.
SQLi has remained the number one threat to websites for years, according to records from the Open Web Application Security Project (OWASP). This non-profit organization regularly puts out a list of top 10 threats against websites. Although broken access failure dethroned injection threats in 2021, the latter remains in the top 3.