SonicWall announced Wednesday that it has provided customers of its Global Management System (GMS) firewall management and Analytics network reporting engine software with a set of 15 security flaws that threat actors can exploit to bypass authentication and access sensitive information. urged to apply the latest amendments to
Of the 15 flaws (tracked from CVE-2023-34123 to CVE-2023-34137), 4 are rated critical, 4 are rated high, and 7 are rated moderate. This vulnerability was disclosed by the NCC group.
This flaw affects on-premise versions of GMS 9.3.2-SP1 and earlier and Analytics 2.5.0.4-R7 and earlier. The fix is available in versions GMS 9.3.3 and Analytics 2.5.2.
“A series of vulnerabilities allow attackers to view data they would otherwise be unable to obtain,” SonicWall said. “This could include data belonging to other users, or other data that the application itself has access to. It can cause permanent changes.”
Here is a list of critical flaws:
- CVE-2023-34124 (CVSS Score: 9.4) – Web Service Authentication Bypass
- CVE-2023-34133 (CVSS score: 9.8) – Multiple unauthenticated SQL injection issues and security filter bypass
- CVE-2023-34134 (CVSS score: 9.8) – Read password hashes via web service
- CVE-2023-34137 (CVSS Score: 9.4) – Cloud App Security (CAS) Authentication Bypass
This disclosure indicates that Fortinet identified a critical flaw (CVE-2023-33308, CVSS score: 9.8) affecting FortiOS and FortiProxy that could, under certain circumstances, allow an adversary to execute code remotely. It was done in response to what was revealed. This issue was resolved in a previous release without an advisory.
“Stack-Based Overflow Vulnerability” [CWE-124] FortiOS and FortiProxy could allow a remote attacker to execute arbitrary code or commands via crafted packets that reach a proxy or firewall policy that uses proxy mode in parallel with SSL deep packet inspection. Yes,” the company said in an advisory.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
Affected products include FortiOS versions 7.2.0-7.2.3 and 7.0.0-7.0.10, FortiProxy versions 7.2.0-7.2.2 and 7.0.0-7.0.9. The version that closes the security hole is:
- FortiOS version 7.4.0 or later
- FortiOS version 7.2.4 or later
- FortiOS version 7.0.11 or later
- FortiProxy version 7.2.3 or later, and
- FortiProxy version 7.0.10 or higher
Note that this flaw does not affect all versions of FortiOS 6.0, FortiOS 6.2, FortiOS 6.4, and FortiProxy 1.x and FortiProxy 2.x.
For customers who cannot apply the update immediately, Fortinet recommends disabling HTTP/2 support in SSL Inspection profiles used in proxy policies or proxy mode firewall policies.
