Critical SonicWall vulnerabilities "extremely attractive" - central firewall hub needs urgent patching

Multiple critical unauthenticated SQL injection bugs and hard-coded credentials as well as command injection, and file upload bugs need urgent patching.

Critical SonicWall vulnerabilities "extremely attractive" - central firewall hub needs urgent patching

The SonicWall GMS – a software application used to centrally manage  SonicWall firewall appliances and security policy configurations – has numerous vulnerabilities that demand urgent patching, including multiple critical unauthenticated SQL injection bugs and hard-coded credentials.

The 15 SonicWall vulnerabilities were reported to the security company by NCC Group via the Zero Day Initiative (ZDI) under what appears to have been a robust security audit, and are not yet being exploited in the wild.

SonicWall vulnerabilities have previously been widely exploited however (CVE-2021-20038 was among 2021’s most exploited vulnerabilities for example) and security researchers say they expect the SonicWall vulnerabilities to be “be extremely attractive to adversaries – including those looking to extort victims after executing smash-and-grab attacks.”

CVE

Description

CVSS

CWE

Vector

CVE-2023-34123

Predictable Password Reset Key

7.5

CWE-321: Use of Hard-coded Cryptographic Key

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2023-34124

Web Service Authentication Bypass

9.4

CWE-305: Authentication Bypass by Primary Weakness

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2023-34125

Post-Authenticated Arbitrary File Read via Backup File Directory Traversal

6.5

CWE-27: Path Traversal: 'dir/../../filename'

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2023-34126

Post-Authenticated Arbitrary File Upload

7.1

CWE-434: Unrestricted Upload of File with Dangerous Type

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2023-34127

Post-Authenticated Command Injection

8.8

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2023-34128

Hardcoded Tomcat Credentials (Privilege Escalation)

6.5

CWE-260: Password in Configuration File

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2023-34129

Post-Authenticated Arbitrary File Write via Web Service (Zip Slip)

7.1

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2023-34130

Use of Outdated Cryptographic Algorithm with Hardcoded Key

5.3

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2023-34131

Unauthenticated Sensitive Information Leak

5.3

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2023-34132

Client-Side Hashing Function Allows Pass-the-Hash

4.9

CWE-836: Use of Password Hash Instead of Password for Authentication

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2023-34133

Multiple Unauthenticated SQL Injection Issues & Security Filter Bypass

9.8

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2023-34134

Password Hash Read via Web Service

9.8

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2023-34135

Post Authenticated Arbitrary File Read via Web Service

6.5

CWE-36: Absolute Path Traversal

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2023-34136

Unauthenticated File Upload

6.5

CWE-434: Unrestricted Upload of File with Dangerous Type

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVE-2023-34137

CAS Authentication Bypass

9.4

CWE-305: Authentication Bypass by Primary Weakness

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Security appliances sitting at the edge of networks are ripe targets for attack and vulnerabilities in them are often then used to piggyback further into corporate infrastructure before deploying ransomware.

The 15 SonicWall vulnerabilities also include a hard-coded Tomcat credentials issue, command injection, and file upload bugs. They affect GMS - Virtual Appliance 9.3.2-SP1 and earlier versions; GMS - Windows 9.3.2-SP1 and earlier versions; Analytics - 2.5.0.4-R7 and earlier versions.

They were all reported by Richard Warren and Sean Morland of NCC Group, with two also reported by Alex Birnberg of Zymo Security.  There is no workaround available for this suite of SonicWall vulnerabilities. The Stack would expect threat actors and other offensive security researchers to be rapidly reverse engineering the patches and POCs to land soon.

See also: Microsoft clams up over critical key breach and “token validation” bug as attackers breach US agency, others