ClickCease SonicWall issues patch for vulnerabilities in GMS/Analytics

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

SonicWall issues patch for vulnerabilities in GMS

July 24, 2023 - TuxCare PR Team

SonicWall has issued an urgent patch for critical vulnerabilities in its Global Management System (GMS) and Analytics network reporting engine software suites after they were discovered by the NCC Group.

The vulnerabilities affect on-premises versions of GMS 9.3.2-SP1 or earlier and Analytics 2.5.0.4-R7 or earlier. They can be exploited remotely by unauthenticated attackers in low-complexity attacks that do not require user interaction.

Two of the flaws, tracked as CVE-2023-34133 and CVE-2023-34134 (CVSS score of 9.8), are described as unauthenticated SQL injection and password hash exposure issues, respectively. The remaining two, CVE-2023-34124 and CVE-2023-34137 (CVSS score of 9.4), are described as a web service authentication bypass and a CAS authentication bypass, respectively. Of the remaining flaws, four are high-severity vulnerabilities, while the other seven have a severity rating of ‘medium’.

Successful exploitation of these vulnerabilities could allow attackers to gain unauthorized access to sensitive data, such as passwords, configuration files, and user activity logs. It also disrupts network operations by modifying or deleting data, or by disabling services. Additionally, it installs malware or ransomware on the affected system.

“The suite of vulnerabilities allows an attacker to view data that they are not normally able to retrieve,” SonicWall said. “This might include data belonging to other users or any other data that the application itself is able to access. In many cases, an attacker can modify or delete this data, causing persistent changes to the application’s content or behavior.”

SonicWall PSIRT (Product Security Incident Response Team) strongly recommends that organizations using the GMS/Analytics On-Prem version outlined below should upgrade to the respective patched version immediately. The patched versions are available for download from the SonicWall website.

SonicWall PSIRT stated that, as of their last knowledge update, there have been no public reports of proof-of-concept (PoC) exploit code or active exploitation of these vulnerabilities in the wild. Nonetheless, SonicWall appliances have been previously targeted in ransomware and cyber-espionage attacks, highlighting the importance of immediate patching to ensure network security.

This sources for this piece include an article in BleepingComputer.

Summary
SonicWall issues patch for vulnerabilities in GMS/Analytics
Article Name
SonicWall issues patch for vulnerabilities in GMS/Analytics
Description
SonicWall has issued an urgent patch for critical vulnerabilities in its Global Management System (GMS) and Analytics network.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started

Mail

Join

4,500

Linux & Open Source
Professionals!

Subscribe to
our newsletter