SB2023071818 - Multiple vulnerabilities in SonicWall GMS and Analytics
Published: July 18, 2023 Updated: September 8, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 15 secuirty vulnerabilities.
1) Arbitrary file upload (CVE-ID: CVE-2023-34126)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload. A remote user can upload a malicious file and execute it on the server.
2) Path traversal (CVE-ID: CVE-2023-34125)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.
3) Improper Authentication (CVE-ID: CVE-2023-34124)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to insufficient checks in the Web Service. A remote attacker can bypass authentication process and gain unauthorized access to the application.
4) Use of Hard-coded Cryptographic Key (CVE-ID: CVE-2023-34123)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to a predictable password reset key. A remote attacker can cause unauthorised password reset.
5) OS Command Injection (CVE-ID: CVE-2023-34127)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to improper input validation. A remote user can pass specially crafted data to the application and execute arbitrary OS commands on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
6) Password in Configuration File (CVE-ID: CVE-2023-34128)
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to the Tomcat application credentials are hardcoded in SonicWall GMS and Analytics configuration file, which leads to security restrictions bypass and privilege escalation.
7) Path traversal (CVE-ID: CVE-2023-34129)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can traverse the directory and extract arbitrary files using Zip Slip method to any location on the underlying filesystem with root privileges.
8) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2023-34130)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the use of outdated Tiny Encryption Algorithm (TEA) with a hardcoded key to encrypt sensitive data. A remote user can gain access to sensitive information on the system.
9) Information disclosure (CVE-ID: CVE-2023-34131)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote attacker can gain unauthorized access to sensitive information on the system.
10) Use of Password Hash Instead of Password for Authentication (CVE-ID: CVE-2023-34132)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to use of password hash instead of password for authentication. A remote attacker can gain access to sensitive information on the system.
11) SQL injection (CVE-ID: CVE-2023-34133)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
12) Information disclosure (CVE-ID: CVE-2023-34134)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote user can read administrator password hash via a web service call.
13) Path traversal (CVE-ID: CVE-2023-34135)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.
14) Arbitrary file upload (CVE-ID: CVE-2023-34136)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload. A remote attacker can upload a malicious file and execute it on the server.
15) Authentication Bypass by Primary Weakness (CVE-ID: CVE-2023-34137)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to the affected application uses static values for authentication without proper checks. A remote attacker can bypass authentication process and gain unauthorized access to the application.
Remediation
Install update from vendor's website.
References
- https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0010
- https://www.sonicwall.com/support/knowledge-base/urgent-security-notice-sonicwall-gms-analytics-impacted-by-suite-of-vulnerabilities/230710150218060/
- https://www.zerodayinitiative.com/advisories/ZDI-23-1155/
- https://www.zerodayinitiative.com/advisories/ZDI-23-1154/