SonicWall on Wednesday announced patches for 15 vulnerabilities in its Global Management System (GMS) and Analytics products, including four critical-severity issues.
GMS is a web-based application for the management and monitoring of SonicWall firewall appliances, while Analytics is a management and reporting engine.
The four critical-severity bugs addressed this week could be exploited to bypass authentication, potentially leading to the exposure of sensitive information.
Two of the flaws, tracked as CVE-2023-34133 and CVE-2023-34134 (CVSS score of 9.8), are described as unauthenticated SQL injection and password hash exposure issues, respectively.
The remaining two, CVE-2023-34124 and CVE-2023-34137 (CVSS score of 9.4), are described as a web service authentication bypass and a CAS authentication bypass, respectively.
Of the remaining flaws, four are high-severity vulnerabilities, while the other seven have a severity rating of ‘medium’.
“The suite of vulnerabilities allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior,” SonicWall notes in an advisory.
All 15 flaws were patched in GMS version 9.3.3 and Analytics version 2.5.2.
SonicWall, which has credited NCC Group for reporting these flaws, says there are no workarounds available for any of them. Organizations using GMS and Analytics are advised to update to a patched release as soon as possible.
The company also notes that it is not aware of any of these vulnerabilities being exploited in the wild, nor of proof-of-concept (PoC) exploits being made public. However, bugs in SonicWall appliances have been exploited in malicious attacks before.