Urgent Security Notice: SonicWall GMS/Analytics Impacted by suite of vulnerabilities
First Published:07/12/2023
Last Updated:07/13/2023
SonicWall proactively works to identify product vulnerabilities and remediate any potential issues. To ensure we meet or exceed security best practices, SonicWall routinely collaborates with third-party researchers and forensic analysis firms in the testing and development of our products.
GMS/Analytics is remediating a suite of 15 security vulnerabilities, disclosed in a Coordinated Vulnerability Disclosure (CVD) report in conjunction with NCCGroup. This suite of vulnerabililtes, which was responsibility disclosed, includes four (4) vulnerabilities with a CVSSv3 rating of CRITICAL, that allows an attacker to bypass authentication and could potentially result in exposure of sensitive information to an unauthorized actor.
SonicWall PSIRT is not aware of active exploitation in the wild. No reports of a PoC have been made public, and malicious use of this vulnerability have not been reported to SonicWall.
Impact:
The suite of vulnerabilities allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behavior. The full list of vulnerabilities, their respective impacts, and CVSS scores are enumerated below:
CVE | Description | CVSS | CWE | Vector |
CVE-2023-34123 | Predictable Password Reset Key | 7.5 (High) | CWE-321: Use of Hard-coded Cryptographic Key | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
CVE-2023-34124 | Web Service Authentication Bypass | 9.4 (Critical) | CWE-305: Authentication Bypass by Primary Weakness | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H |
CVE-2023-34125 | Post-Authenticated Arbitrary File Read via Backup File Directory Traversal | 6.5 (Medium) | CWE-27: Path Traversal: 'dir/../../filename' | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
CVE-2023-34126 | Post-Authenticated Arbitrary File Upload | 7.1 (High) | CWE-434: Unrestricted Upload of File with Dangerous Type | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N |
CVE-2023-34127 | Post-Authenticated Command Injection | 8.8 (High) | CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2023-34128 | Hardcoded Tomcat Credentials (Privilege Escalation) | 6.5 (Medium) | CWE-260: Password in Configuration File | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
CVE-2023-34129 | Post-Authenticated Arbitrary File Write via Web Service (Zip Slip) | 7.1 (High) | CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L |
CVE-2023-34130 | Use of Outdated Cryptographic Algorithm with Hardcoded Key | 5.3 (Medium) | CWE-327: Use of a Broken or Risky Cryptographic Algorithm | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
CVE-2023-34131 | Unauthenticated Sensitive Information Leak | 5.3 (Medium) | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor An attacker could leak sensitive information such as the device serial number, internal IP addresses and host names. | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
CVE-2023-34132 | Client-Side Hashing Function Allows Pass-the-Hash | 4.9 (Medium) | CWE-836: Use of Password Hash Instead of Password for Authentication | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
CVE-2023-34133 | Multiple Unauthenticated SQL Injection Issues & Security Filter Bypass | 9.8 (Critical) | CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CVE-2023-34134 | Password Hash Read via Web Service | 9.8 (Critical) | CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
CVE-2023-34135 | Post Authenticated Arbitrary File Read via Web Service | 6.5 (Medium) | CWE-36: Absolute Path Traversal | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
CVE-2023-34136 | Unauthenticated File Upload | 6.5 (Medium) | CWE-434: Unrestricted Upload of File with Dangerous Type | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L |
CVE-2023-34137 | CAS Authentication Bypass | 9.4 (Critical) | CWE-305: Authentication Bypass by Primary Weakness | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H |
Workarounds/Temporary Mitigations:
There is no workaround available for this suite of vulnerabilities.
Resolution:
SonicWall PSIRT strongly suggests that organizations using the GMS/Analytics On-Prem version outlined below should upgrade to the respective patched version immediately.
AFFECTED | PATCHED |
· GMS 9.3.2-SP1 and before |
● GMS - Virtual Appliance 9.3.9330 and higher versions ●GMS - Windows 9.3.9330 and higher versions
|
· Analytics 2.5.0.4-R7 and before |
● Analytics- Analytics 2.5.2-R9 and higher versions
|
Please reference the following deployment guides for guidance on upgrading your GMS and Analytics On-Prem deployments:
GMS 9.3.x:
Please reach out to SonicWall Technical Support if you require assistance with the upgrade process.
Analytics 2.5.x On-prem:
- https://www.sonicwall.com/techdocs/pdf/232-005167-00_RevC_Analytics_2.5_ESXi_DeploymentGuide.pdf
- https://www.sonicwall.com/techdocs/pdf/232-004743-00_RevD_On-Prem_Analytics_Hyper-V_DeploymentGuide.pdf
- https://www.sonicwall.com/techdocs/pdf/232-004741-00_RevE_Analytics_2.5_Azure_DeploymentGuide.pdf
