Urgent Patching Required to Fix Critical and High-Severity SonicWall GMS/Analytics Flaws

SonicWall has released patches to fix 15 vulnerabilities in its Global Management System (GMS) firewall management and Analytics solutions, including 4 critical and 4 high-severity flaws. The critical flaws could be exploited by a malicious actor to bypass authentication, which would permit access to any information the application is permitted to access, including sensitive data belonging to other users. An attacker could modify, delete, or steal the data, thus affecting the application’s content or behavior.

SonicWall said it is unaware of any instances where the vulnerabilities have been exploited and no reports of proof-of-concept (PoC) exploits have been made public; however, immediate patching is strongly recommended. SonicWall says there are no workarounds available to address the flaws. Updating to the patched version is the only way to address the vulnerabilities.

Vulnerabilities in SonicWall solutions have been actively targeted by malicious actors in the past, including ransomware groups and APT actors for long-term persistent access for cyber-espionage purposes. SonicWall PSIRT strongly recommends organizations using the vulnerable GMS/Analytics On-Prem versions to upgrade immediately.

The vulnerabilities affect SonicWall GMS 9.3.2-SP1 and earlier versions and Analytics and earlier versions. All 15 vulnerabilities have now been fixed, and users should ensure they are running the following patched versions:

  • GMS – Virtual Appliance 9.3.9330 or higher
  • GMS – Windows 9.3.9330 or higher
  • Analytics-Analytics 2.5.2-R9 or higher

The critical and high-severity flaws are detailed below.

CVE Description CVSS
CVE-2023-34133 Multiple Unauthenticated SQL Injection Issues & Security Filter Bypass 9.8 (Critical)
CVE-2023-34134 Password Hash Read via Web Service 9.8 (Critical)
CVE-2023-34124 Web Service Authentication Bypass 9.4 (Critical)
CVE-2023-34137 CAS Authentication Bypass 9.4 (Critical)
CVE-2023-34127 Post-Authenticated Command Injection 8.8 (High)
CVE-2023-34123 Predictable Password Reset Key 7.5 (High)
CVE-2023-34126 Post-Authenticated Arbitrary File Upload 7.1 (High)
CVE-2023-34129 Post-Authenticated Arbitrary File Write via Web Service (Zip Slip) 7.1 (High)

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news