cbcvebase.
CVE-2023-34124
published 2023-07-13

CVE-2023-34124: The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
40.89%
98.5th percentile
The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.

Affected

6 ranges
VendorProductVersion rangeFixed in
sonicwallanalytics<= 2.5.0.4-r7
sonicwallanalytics
sonicwallglobal_management_system< 9.3.29.3.2
sonicwallglobal_management_system
sonicwallgms
sonicwallgms

Detection & IOCsextracted from sources · hover to see the quote

url/ws/msw/tenant/%27%20union%20select%20%28select%20ID%20from%20SGMSDB.DOMAINS%20limit%201%29%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%28select%20concat%28id%2C%20%27%3A%27%2C%20password%29%20from%20sgmsdb.users%20where%20active%20%3D%20%271%27%20order%20by%20issuperadmin%20desc%20limit%201%20offset%200%29%2C%27%27%2C%20%27%27%2C%20%27
path/ws/msw/tenant/
path/appliance/login
path/appliance/applianceMainPage
path/opt/GMSVP/etc/
commandaction=login&skipSessionCheck=0&needPwdChange=0&clientHash={{ md5(concat(servertoken,replace_regex(alias,"^.*:",""))) }}&password={{replace_regex(alias,"^.*:","")}}&applianceUser={{replace_regex(alias,":.*$","")}}&appliancePassword=Nice%20Try&ctlTimezoneOffset=0
othershodan-query: http.favicon.hash:-1381126564
otherfofa-query: icon_hash=-1381126564
  • Detect SQL injection auth bypass attempts against the GMS tenant web service endpoint: look for URL-encoded UNION SELECT payloads targeting SGMSDB.DOMAINS and sgmsdb.users tables in GET requests to /ws/msw/tenant/
  • Detect shell injection via the file_system task on /appliance/applianceMainPage: look for POST requests with action=file_system&task=search and searchFilter containing semicolons followed by bash commands (e.g., appliance.jar;bash)
  • The exploit chain involves three stages: (1) SQL injection on /ws/msw/tenant/ with a custom Auth header containing user=system and HMAC-SHA1 signed with the hardcoded secret '?~!@#$%^^()'; (2) credential harvesting and login to /appliance/applianceMainPage; (3) shell injection via the file_system search task. Alert on any of these stages.
  • Identify SonicWall GMS/Analytics exposed instances using favicon hash -1381126564 (Shodan/FOFA). Prioritize patching or monitoring of internet-facing assets matching this fingerprint.
  • Monitor for uudecode-based payload staging in POST body to /appliance/applianceMainPage, specifically begin-base64 strings and execution of files dropped under /tmp/ with subsequent removal (rm /tmp/.<filename>).
  • The response body for a successful appliance login step contains the string 'SonicWall Universal Management Appliance' or 'SonicWall Universal Management Host' — monitor for unexpected logins producing these responses from external IPs.
  • ·The HMAC-SHA1 authentication bypass relies on a hardcoded secret embedded in the GMS/Analytics application. The secret '?~!@#$%^^()' is used to sign the SQL injection query payload in the Auth header, enabling unauthenticated access to the /ws/msw/tenant/ endpoint.
  • ·The SQL injection query targets the SGMSDB.DOMAINS and sgmsdb.users tables, extracting the superadmin's id and password hash. The extracted credentials are then used to authenticate to the appliance management interface for the subsequent shell injection stage.
  • ·Affected versions are GMS 9.3.2-SP1 and earlier, and Analytics 2.5.0.4-R7 and earlier. The Metasploit module targets GMS versions <= 9.9.9320.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.