CVE-2023-34127
published 2023-07-13CVE-2023-34127: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SonicWall GMS, SonicWall Analytics enables an…
PriorityP182high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
86.73%
99.7th percentile
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SonicWall GMS, SonicWall Analytics enables an authenticated attacker to execute arbitrary code with root privileges. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sonicwall | analytics | <= 2.5.0.4-r7 | — |
| sonicwall | analytics | — | — |
| sonicwall | global_management_system | < 9.3.2 | 9.3.2 |
| sonicwall | global_management_system | — | — |
| sonicwall | gms | — | — |
| sonicwall | gms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/ws/msw/tenant/%27%20union%20select%20%28select%20ID%20from%20SGMSDB.DOMAINS%20limit%201%29%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%27%27%2C%20%28select%20concat%28id%2C%20%27%3A%27%2C%20password%29%20from%20sgmsdb.users%20where%20active%20%3D%20%271%27%20order%20by%20issuperadmin%20desc%20limit%201%20offset%200%29%2C%27%27%2C%20%27%27%2C%20%27↗
- →Detect SQL injection attempt via the /ws/msw/tenant/ endpoint — look for URL-encoded UNION SELECT payloads targeting SGMSDB.DOMAINS and sgmsdb.users tables in the URI path. ↗
- →Detect authentication bypass attempt: monitor POST to /appliance/applianceMainPage with action=login and the custom Auth header containing a base64-encoded HMAC-SHA1 hash on GET /ws/msw/tenant/ requests. ↗
- →Use Shodan/FOFA favicon hash -1381126564 to identify exposed SonicWall GMS/Analytics instances for asset discovery and attack surface monitoring. ↗
- →Exploit chain involves three stages: (1) SQL injection on /ws/msw/tenant/ to harvest credentials, (2) login to /appliance/applianceMainPage to obtain a session, (3) shell injection via file_system search task. Correlate these three request patterns from the same source IP. ↗
- →The HMAC secret used in the authentication bypass is a fixed string; detect requests where the Auth header hash is derived using the secret '?~!@#$%^^()'. ↗
- ·CVE-2023-34127 requires an authenticated attacker (OS command injection with root privileges), while the exploit template shown is for the related CVE-2023-34124 (auth bypass + SQL injection chain). The Nuclei template ID and references are for CVE-2023-34124, not CVE-2023-34127 — detections should account for both CVEs being chained together. ↗
- ·Affected versions are GMS 9.3.2-SP1 and earlier, and Analytics 2.5.0.4-R7 and earlier. The Metasploit module references GMS versions <= 9.9.9320, which may reflect a broader or updated scope. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
SonicWall
CVE-2023-34127: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SonicWall GMS, SonicWall Analytics enables
vendor_sonicwall·2023-07-13·CVSS 8.8
CVE-2023-34127 [HIGH] CWE-78 CVE-2023-34127: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SonicWall GMS, SonicWall Analytics enables
CVE-2023-34127: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SonicWall GMS, SonicWall Analytics enables an authenticated attacker to execute arbitrary code with root privileges. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.
GHSA
GHSA-j825-x83p-56g6: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SonicWall GMS, SonicWall Analytics enables
ghsa_unreviewed·2023-07-13
CVE-2023-34127 [HIGH] CWE-78 GHSA-j825-x83p-56g6: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SonicWall GMS, SonicWall Analytics enables
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in SonicWall GMS, SonicWall Analytics enables an authenticated attacker to execute arbitrary code with root privileges. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions.
No detection rules found.
Nuclei
SonicWall GMS and Analytics Web Services - Shell Injection
nuclei·CVSS 9.8
CVE-2023-34124 [CRITICAL] SonicWall GMS and Analytics Web Services - Shell Injection
SonicWall GMS and Analytics Web Services - Shell Injection
The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions
Template:
id: CVE-2023-34124
info:
name: SonicWall GMS and Analytics Web Services - Shell Injection
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
The authentication mechanism in SonicWall GMS and Analytics Web Services had insufficient checks, allowing authentication bypass. This issue affects GMS: 9.3.2-SP1 and earlier versions; Analytics: 2.5.0.4-R7 and earlier versions
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access, data leakage, an
Metasploit
Sonicwall
metasploit
Sonicwall
Sonicwall
This module exploits a series of vulnerabilities - including auth bypass, SQL injection, and shell injection - to obtain remote code execution on SonicWall GMS versions <= 9.9.9320.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/174571/Sonicwall-GMS-9.9.9320-Remote-Code-Execution.htmlhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0010https://www.sonicwall.com/support/notices/230710150218060http://packetstormsecurity.com/files/174571/Sonicwall-GMS-9.9.9320-Remote-Code-Execution.htmlhttps://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0010https://www.sonicwall.com/support/notices/230710150218060
2023-07-13
Published