CVE-2022-27812 in SNS Firewall
Summary
by MITRE • 08/24/2022
Flooding SNS firewall 3.7.0 to 3.7.26 with udp or icmp randomizing the source through an internal to internal or external to internal interfaces will lead the firewall to overwork. It will consume 100% CPU, 100 RAM and won't be available and can crash.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/15/2026
The vulnerability identified as CVE-2022-27812 affects Flooding SNS firewall versions 3.7.0 through 3.7.26, presenting a critical resource exhaustion threat that can completely disable firewall operations. This vulnerability manifests when malicious actors flood the firewall with udp or icmp traffic while randomizing source addresses through internal to internal or external to internal network interfaces. The attack exploits fundamental networking protocols to overwhelm the firewall's processing capabilities, creating a denial of service condition that renders the security device inoperable.
The technical flaw resides in the firewall's inadequate handling of randomized source addresses within udp and icmp traffic streams. When packets arrive with spoofed or randomized source IP addresses, the firewall's connection tracking mechanisms become overwhelmed as they attempt to process and maintain state information for each incoming packet. This particular implementation fails to properly rate-limit or filter incoming traffic based on source address randomness patterns, allowing an attacker to consume all available system resources through a simple flood attack. The vulnerability specifically targets the firewall's packet processing engine and memory management systems, leading to complete system saturation.
The operational impact of this vulnerability is severe and immediate, as the firewall becomes completely unresponsive to legitimate network traffic while consuming 100% of available cpu and memory resources. This resource exhaustion results in complete service disruption for all network security functions, leaving the network exposed to potential attacks while the firewall remains offline. The system crash potential represents a critical failure mode where the firewall's operational integrity is completely compromised, requiring manual intervention and system restart to restore normal operations. Network administrators face the challenging scenario of maintaining network security while the primary protective device becomes unavailable.
Mitigation strategies should focus on implementing immediate traffic filtering measures at network boundaries to prevent the vulnerable traffic patterns from reaching the firewall. Network segmentation and ingress filtering should be deployed to block randomized source address patterns before they can impact the firewall. The firewall should be upgraded to version 3.7.27 or later, which includes patches addressing the resource exhaustion vulnerability. Additionally, implementing rate limiting and connection tracking limits can prevent the exploitation of this vulnerability by constraining the number of concurrent connections and packets that can be processed. Organizations should also consider deploying intrusion detection systems to monitor for suspicious traffic patterns and implement proper logging to detect potential exploitation attempts. This vulnerability aligns with CWE-400, which addresses resource exhaustion vulnerabilities, and maps to ATT&CK technique T1498, representing resource exhaustion attacks that target network infrastructure devices.