The SonicWall GMS – a software application used to centrally manage SonicWall firewall appliances and security policy configurations – has numerous vulnerabilities that demand urgent patching, including multiple critical unauthenticated SQL injection bugs and hard-coded credentials.
The 15 SonicWall vulnerabilities were reported to the security company by NCC Group via the Zero Day Initiative (ZDI) under what appears to have been a robust security audit, and are not yet being exploited in the wild.
SonicWall vulnerabilities have previously been widely exploited however (CVE-2021-20038 was among 2021’s most exploited vulnerabilities for example) and security researchers say they expect the SonicWall vulnerabilities to be “be extremely attractive to adversaries – including those looking to extort victims after executing smash-and-grab attacks.”
CVE |
Description |
CVSS |
CWE |
Vector |
|
CVE-2023-34123 |
Predictable
Password Reset Key |
7.5 |
CWE-321: Use of Hard-coded
Cryptographic Key |
|
|
CVE-2023-34124 |
Web
Service Authentication Bypass |
9.4 |
CWE-305: Authentication Bypass by
Primary Weakness |
|
|
CVE-2023-34125 |
Post-Authenticated
Arbitrary File Read via Backup File Directory Traversal |
6.5 |
CWE-27: Path Traversal:
'dir/../../filename' |
|
|
CVE-2023-34126 |
Post-Authenticated
Arbitrary File Upload |
7.1 |
CWE-434: Unrestricted Upload of File
with Dangerous Type |
|
|
CVE-2023-34127 |
Post-Authenticated
Command Injection |
8.8 |
CWE-78: Improper Neutralization of
Special Elements used in an OS Command ('OS Command Injection') |
|
|
CVE-2023-34128 |
Hardcoded
Tomcat Credentials (Privilege Escalation) |
6.5 |
CWE-260: Password in Configuration
File |
|
|
CVE-2023-34129 |
Post-Authenticated
Arbitrary File Write via Web Service (Zip Slip) |
7.1 |
CWE-22: Improper Limitation of a
Pathname to a Restricted Directory ('Path Traversal') |
|
|
CVE-2023-34130 |
Use of
Outdated Cryptographic Algorithm with Hardcoded Key |
5.3 |
CWE-327: Use of a Broken or Risky
Cryptographic Algorithm |
|
|
CVE-2023-34131 |
Unauthenticated
Sensitive Information Leak |
5.3 |
CWE-200: Exposure of Sensitive
Information to an Unauthorized Actor |
|
|
CVE-2023-34132 |
Client-Side
Hashing Function Allows Pass-the-Hash |
4.9 |
CWE-836: Use of Password Hash
Instead of Password for Authentication |
|
|
CVE-2023-34133 |
Multiple
Unauthenticated SQL Injection Issues & Security Filter Bypass |
9.8 |
CWE-89: Improper Neutralization of
Special Elements used in an SQL Command ('SQL Injection') |
|
|
CVE-2023-34134 |
Password
Hash Read via Web Service |
9.8 |
CWE-200: Exposure of Sensitive
Information to an Unauthorized Actor |
|
|
CVE-2023-34135 |
Post
Authenticated Arbitrary File Read via Web Service |
6.5 |
CWE-36: Absolute Path Traversal |
|
|
CVE-2023-34136 |
Unauthenticated
File Upload |
6.5 |
CWE-434: Unrestricted Upload of File
with Dangerous Type |
|
|
CVE-2023-34137 |
CAS Authentication
Bypass |
9.4 |
CWE-305: Authentication Bypass by
Primary Weakness |
Security appliances sitting at the edge of networks are ripe targets for attack and vulnerabilities in them are often then used to piggyback further into corporate infrastructure before deploying ransomware.
The 15 SonicWall vulnerabilities also include a hard-coded Tomcat credentials issue, command injection, and file upload bugs. They affect GMS - Virtual Appliance 9.3.2-SP1 and earlier versions; GMS - Windows 9.3.2-SP1 and earlier versions; Analytics - 2.5.0.4-R7 and earlier versions.
They were all reported by Richard Warren and Sean Morland of NCC Group, with two also reported by Alex Birnberg of Zymo Security. There is no workaround available for this suite of SonicWall vulnerabilities. The Stack would expect threat actors and other offensive security researchers to be rapidly reverse engineering the patches and POCs to land soon.
