Urgent Security Notice: SonicWall GMS/Analytics Impacted by suite of vulnerabilities

First Published:07/12/2023

Last Updated:07/13/2023

SonicWall proactively works to identify product vulnerabilities and remediate any potential issues. To ensure we meet or exceed security best practices, SonicWall routinely collaborates with third-party researchers and forensic analysis firms in the testing and development of our products.

GMS/Analytics is remediating a suite of 15 security vulnerabilities, disclosed in a Coordinated Vulnerability Disclosure (CVD) report in conjunction with NCCGroup. This suite of vulnerabililtes, which was responsibility disclosed, includes four (4) vulnerabilities with a CVSSv3 rating of CRITICAL, that allows an attacker to bypass authentication and could potentially result in exposure of sensitive information to an unauthorized actor.

SonicWall PSIRT is not aware of active exploitation in the wild. No reports of a PoC have been made public, and malicious use of this vulnerability have not been reported to SonicWall.

Impact:

The suite of vulnerabilities allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application's content or behavior. The full list of vulnerabilities, their respective impacts, and CVSS scores are enumerated below:

CVE	Description	CVSS	CWE	Vector
CVE-2023-34123	Predictable Password Reset Key	7.5 (High)	CWE-321: Use of Hard-coded Cryptographic Key	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2023-34124	Web Service Authentication Bypass	9.4 (Critical)	CWE-305: Authentication Bypass by Primary Weakness	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
CVE-2023-34125	Post-Authenticated Arbitrary File Read via Backup File Directory Traversal	6.5 (Medium)	CWE-27: Path Traversal: 'dir/../../filename'	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2023-34126	Post-Authenticated Arbitrary File Upload	7.1 (High)	CWE-434: Unrestricted Upload of File with Dangerous Type	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
CVE-2023-34127	Post-Authenticated Command Injection	8.8 (High)	CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-34128	Hardcoded Tomcat Credentials (Privilege Escalation)	6.5 (Medium)	CWE-260: Password in Configuration File	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CVE-2023-34129	Post-Authenticated Arbitrary File Write via Web Service (Zip Slip)	7.1 (High)	CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
CVE-2023-34130	Use of Outdated Cryptographic Algorithm with Hardcoded Key	5.3 (Medium)	CWE-327: Use of a Broken or Risky Cryptographic Algorithm	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2023-34131	Unauthenticated Sensitive Information Leak	5.3 (Medium)	CWE-200: Exposure of Sensitive Information to an Unauthorized Actor An attacker could leak sensitive information such as the device serial number, internal IP addresses and host names.	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVE-2023-34132	Client-Side Hashing Function Allows Pass-the-Hash	4.9 (Medium)	CWE-836: Use of Password Hash Instead of Password for Authentication	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CVE-2023-34133	Multiple Unauthenticated SQL Injection Issues & Security Filter Bypass	9.8 (Critical)	CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE-2023-34134	Password Hash Read via Web Service	9.8 (Critical)	CWE-200: Exposure of Sensitive Information to an Unauthorized Actor	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-34135	Post Authenticated Arbitrary File Read via Web Service	6.5 (Medium)	CWE-36: Absolute Path Traversal	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2023-34136	Unauthenticated File Upload	6.5 (Medium)	CWE-434: Unrestricted Upload of File with Dangerous Type	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CVE-2023-34137	CAS Authentication Bypass	9.4 (Critical)	CWE-305: Authentication Bypass by Primary Weakness	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

Workarounds/Temporary Mitigations:

There is no workaround available for this suite of vulnerabilities.

Resolution:

SonicWall PSIRT strongly suggests that organizations using the GMS/Analytics On-Prem version outlined below should upgrade to the respective patched version immediately.

AFFECTED
VERSION

PATCHED
VERSION

· GMS 9.3.2-SP1 and before

● GMS - Virtual Appliance 9.3.9330 and higher versions

●GMS - Windows 9.3.9330 and higher versions

· Analytics 2.5.0.4-R7 and before

● Analytics- Analytics 2.5.2-R9 and higher versions

Please reference the following deployment guides for guidance on upgrading your GMS and Analytics On-Prem deployments:

GMS 9.3.x:

Please reach out to SonicWall Technical Support if you require assistance with the upgrade process.