cbcvebase.
CVE-2013-1359
published 2020-02-11

CVE-2013-1359: An Authentication Bypass Vulnerability exists in DELL SonicWALL Analyzer 7.0, Global Management System (GMS) 4.1, 5.0, 5.1, 6.0, and 7.0; Universal Management…

PriorityP185critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
89.40%
99.8th percentile
An Authentication Bypass Vulnerability exists in DELL SonicWALL Analyzer 7.0, Global Management System (GMS) 4.1, 5.0, 5.1, 6.0, and 7.0; Universal Management Appliance (UMA) 5.1, 6.0, and 7.0 and ViewPoint 4.1, 5.0, 5.1, and 6.0 via the skipSessionCheck parameter to the UMA interface (/appliance/), which could let a remote malicious user obtain access to the root account.

Affected

13 ranges
VendorProductVersion rangeFixed in
sonicwallanalyzer
sonicwallglobal_management_system
sonicwallglobal_management_system
sonicwallglobal_management_system
sonicwallglobal_management_system
sonicwallglobal_management_system
sonicwallgms
sonicwalluniversal_management_appliance
sonicwalluniversal_management_appliance
sonicwalluniversal_management_appliance
sonicwallviewpoint
sonicwallviewpoint
sonicwallviewpoint

Detection & IOCsextracted from sources · hover to see the quote

url/appliance/applianceMainPage?skipSessionCheck=1
path/appliance/
filenamecbs.jsp
pathTomcat/webapps/appliance/
pathTomcat\webapps\appliance\
commandskipSessionCheck=1
  • Detect authentication bypass attempts by monitoring HTTP POST requests to /appliance/applianceMainPage containing the 'skipSessionCheck=1' parameter, which bypasses session validation entirely.
  • Alert on multipart/form-data POST requests to /appliance/applianceMainPage?skipSessionCheck=1 with action=file_system and task=uploadFile, indicating a JSP webshell upload attempt.
  • Detect POST requests to /appliance/applianceMainPage?skipSessionCheck=1 with action=show_diagnostics and task=search, used by attackers to fingerprint the GMS installation path prior to exploitation.
  • Monitor for GET requests to /appliance/*.jsp following a file upload to the appliance web directory, indicating execution of a dropped JSP webshell.
  • Alert on the Apache-Coyote server banner in HTTP responses from SonicWALL GMS, which is used by the exploit module to fingerprint the target before attack.
  • Detect new .jsp files written under the Tomcat/webapps/appliance/ directory on SonicWALL GMS hosts, as the exploit drops a JSP reverse shell payload there.
  • ·The exploit targets SonicWALL GMS versions 6.0.6017 and 6.0.6022 specifically in testing, but the authentication bypass affects a broader range of versions including GMS 4.1–7.0, UMA 5.1–7.0, ViewPoint 4.1–6.0, and Analyzer 7.0.
  • ·On the Linux Virtual Appliance target, the Linux Meterpreter payload did not run successfully during testing; a plain shell payload should be used instead.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.