CVE-2022-23989: SNS: Numerous connections to OpenVPN service lead to loopback saturation (CVE-2022-23989)

Advisory ID

CVE Number

Date discovered

Severity

Advisory revision

STORM-2022-003

CVE-2022-23989

01/01/2022

high

v1

Vulnerability details

Numerous connections on the SSLVPN service might lead to saturation of the loopback interface. This could result in the blocking of almost all network traffic, making the firewall unreachable.

Impacted products

Products

Severity

Detail

Stormshield Network Security

high

SNS is impacted

Revisions

Version

Date

Description

v1

02/09/2022

Reserved Publication

v2

03/15/2022

Updated and disclosed

Stormshield Network Security

CVSS v3.1 Overall Score: 8.6

Analysis

Impacted version

An attacker could exploit this vulnerability via forged and properly timed traffic to cause a denial of service.

• SNS 3.0.0 to 3.7.24
• SNS 3.8.0 to 3.11.12
• SNS 4.0.0 to 4.2.9
• SNS 4.3.0 to 4.3.4

Workaround solution

Solution

There is no workaround solution.

The following versions fix this vulnerability:

• 3.7.25
• 3.11.13
• 4.2.10
• 4.3.5

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability impact

Network

Low

None

None

Unchanged

None

None

High

CVSS Base score: 7.5

CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Exploit Code Maturity

Remediation Level

Report Confidence

Functional exploit exists

Official fix

Confirmed

CVSS Temporal score: 7

CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C)

Confidentiality Requirement

Integrity Requirement

Availability Requirement

High

High

High

CVSS Environmental score: 8.6

CVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:X/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X)