SonicWall addressed multiple critical vulnerabilities in its Global Management System (GMS) firewall management and Analytics network management and reporting engine.
The company fixed 15 vulnerabilities that were disclosed in a Coordinated Vulnerability Disclosure report in conjunction with NCCGroup. Four of these vulnerabilities are rated as critical. They can be exploited by an attacker to bypass authentication and potentially expose sensitive information to an unauthorized actor.
The four critical-severity bugs addressed tracked as CVE-2023-34124, CVE-2023-34133, CVE-2023-34134, CVE-2023-34137 with a CVSS score ranging from 9.4-9.8 could be exploited to bypass authentication, potentially leading to the exposure of sensitive information.
Two of the flaws, tracked as CVE-2023-34133 and CVE-2023-34134 with a CVSS score of 9.8 are described as unauthenticated SQL injection and password hash exposure issues, respectively.
The remaining two, CVE-2023-34124 and CVE-2023-34137 (CVSS score of 9.4), are described as a web service authentication bypass and a CAS authentication bypass, respectively.
The remaining four are high-severity vulnerabilities, while the other seven have a severity rating of ‘medium’.
Sonicwall also notes that it is not aware of any of these vulnerabilities being exploited in the wild, nor of proof-of-concept (PoC) exploits being made public