Vulnerabilities

SonicWall Patches Critical Vulnerabilities in GMS, Analytics Products

SonicWall patches four critical-severity vulnerabilities in its Global Management System (GMS) and Analytics products.

Published

SonicWall patches four critical-severity vulnerabilities in its Global Management System (GMS) and Analytics products.

SonicWall on Wednesday announced patches for 15 vulnerabilities in its Global Management System (GMS) and Analytics products, including four critical-severity issues.

GMS is a web-based application for the management and monitoring of SonicWall firewall appliances, while Analytics is a management and reporting engine.

The four critical-severity bugs addressed this week could be exploited to bypass authentication, potentially leading to the exposure of sensitive information.

Two of the flaws, tracked as CVE-2023-34133 and CVE-2023-34134 (CVSS score of 9.8), are described as unauthenticated SQL injection and password hash exposure issues, respectively.

The remaining two, CVE-2023-34124 and CVE-2023-34137 (CVSS score of 9.4), are described as a web service authentication bypass and a CAS authentication bypass, respectively.

Of the remaining flaws, four are high-severity vulnerabilities, while the other seven have a severity rating of ‘medium’.

“The suite of vulnerabilities allows an attacker to view data that they are not normally able to retrieve. This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior,” SonicWall notes in an advisory.

All 15 flaws were patched in GMS version 9.3.3 and Analytics version 2.5.2.

Advertisement. Scroll to continue reading.

SonicWall, which has credited NCC Group for reporting these flaws, says there are no workarounds available for any of them. Organizations using GMS and Analytics are advised to update to a patched release as soon as possible.

The company also notes that it is not aware of any of these vulnerabilities being exploited in the wild, nor of proof-of-concept (PoC) exploits being made public. However, bugs in SonicWall appliances have been exploited in malicious attacks before.

Related: Custom Chinese Malware Found on SonicWall Appliance

Related: SonicWall Warns of Critical GMS SQL Injection Vulnerability

Related: SonicWall Patches Unauthorized Access Vulnerability in SMA Appliances

In this article:

Related Content

Vulnerabilities

180k Internet-Exposed SonicWall Firewalls Vulnerable to DoS Attacks, Possibly RCE

Two DoS vulnerabilities patched in 2022 and 2023 haunt nearly 180,000 internet-exposed SonicWall firewalls.

January 16, 2024

Funding/M&A

SonicWall Buys Banyan Security for ZTNA Technology

SonicWall announces the acquisition of Banyan Security, a deal that adds zero-trust network access tooling to its product portfolio.

January 3, 2024

Malware & Threats

Custom Chinese Malware Found on SonicWall Appliance

Malware deployed by Chinese hackers on a SonicWall SMA appliance includes credential theft, shell access, and persistence functionality.

March 9, 2023

Copyright © 2024 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version