SB2023071818 - Multiple vulnerabilities in SonicWall GMS and Analytics
Published: July 18, 2023 Updated: September 8, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 15 vulnerabilities.
1) Arbitrary file upload (CVE-ID: CVE-2023-34126)
CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload. A remote user can upload a malicious file and execute it on the server.
2) Path traversal (CVE-ID: CVE-2023-34125)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.
3) Improper Authentication (CVE-ID: CVE-2023-34124)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to insufficient checks in the Web Service. A remote attacker can bypass authentication process and gain unauthorized access to the application.
4) Use of Hard-coded Cryptographic Key (CVE-ID: CVE-2023-34123)
CWE-ID: CWE-321 - Use of Hard-coded Cryptographic Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to a predictable password reset key. A remote attacker can cause unauthorised password reset.
5) OS Command Injection (CVE-ID: CVE-2023-34127)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Green
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation. A remote user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
6) Password in Configuration File (CVE-ID: CVE-2023-34128)
CWE-ID: CWE-260 - Password in Configuration File
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to the Tomcat application credentials are hardcoded in SonicWall GMS and Analytics configuration file, which leads to security restrictions bypass and privilege escalation.
7) Path traversal (CVE-ID: CVE-2023-34129)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can traverse the directory and extract arbitrary files using Zip Slip method to any location on the underlying filesystem with root privileges.
8) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2023-34130)
CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the use of outdated Tiny Encryption Algorithm (TEA) with a hardcoded key to encrypt sensitive data. A remote user can gain access to sensitive information on the system.
9) Information disclosure (CVE-ID: CVE-2023-34131)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote attacker can gain unauthorized access to sensitive information on the system.
10) Use of Password Hash Instead of Password for Authentication (CVE-ID: CVE-2023-34132)
CWE-ID: CWE-836 - Use of Password Hash Instead of Password for Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:A/U:Green
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to use of password hash instead of password for authentication. A remote attacker can gain access to sensitive information on the system.
11) SQL injection (CVE-ID: CVE-2023-34133)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
12) Information disclosure (CVE-ID: CVE-2023-34134)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote user can read administrator password hash via a web service call.
13) Path traversal (CVE-ID: CVE-2023-34135)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.
14) Arbitrary file upload (CVE-ID: CVE-2023-34136)
CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload. A remote attacker can upload a malicious file and execute it on the server.
15) Authentication Bypass by Primary Weakness (CVE-ID: CVE-2023-34137)
CWE-ID: CWE-305 - Authentication Bypass by Primary Weakness
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to the affected application uses static values for authentication without proper checks. A remote attacker can bypass authentication process and gain unauthorized access to the application.
Remediation
Install update from vendor's website.
References
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0010
- https://www.sonicwall.com/support/knowledge-base/urgent-security-notice-sonicwall-gms-analytics-impacted-by-suite-of-vulnerabilities/230710150218060/
- https://www.zerodayinitiative.com/advisories/ZDI-23-1155/
- https://www.zerodayinitiative.com/advisories/ZDI-23-1154/