SonicWall Patches GMS Flaws to Block Data Breaches and Bypass Attacks

CVE-2024-29010 & CVE-2024-29011

SonicWall has released a security patch for its Global Management System (GMS) software, addressing two vulnerabilities that could be exploited by attackers to gain unauthorized access to sensitive data (CVE-2024-29010) and bypass authentication mechanisms (CVE-2024-29011).

Vulnerabilities Explained

  1. CVE-2024-29010: XML External Entity Processing Information Disclosure Vulnerability This vulnerability arises from the way XML documents are processed within the GMS ECM endpoint. An XML external entity (XXE) injection vulnerability could allow unauthorized parties to access confidential information, scoring a 7.1 on the CVSS scale.
  2. CVE-2024-29011: Hard-Coded Credential Authentication Bypass Vulnerability This flaw involves the use of hard-coded credentials in the GMS ECM endpoint, which could lead to an authentication bypass. This issue is considered slightly more severe, with a CVSS score of 7.5.

These flaws impact SonicWall GMS Virtual Appliance and Windows installations running versions 9.3.4 and older. Despite these vulnerabilities, SonicWall confirms that its Analytics products are not affected. Furthermore, there is no evidence to suggest that these vulnerabilities have been exploited in the wild as of yet.

The vulnerabilities were responsibly reported to SonicWall by Erik Wynter through the Trend Micro Zero Day Initiative.

Urgent Action Required

In response to these discoveries, SonicWall has developed and released updated software versions starting from GMS 9.4.0 (Build 9.4-9400.1040) for both the Virtual Appliance and Windows platforms. These updates address the vulnerabilities, ensuring enhanced security for the management system.

SonicWall strongly recommends that all organizations using affected versions of the GMS software upgrade immediately to the latest version to mitigate any risks associated with these vulnerabilities. Delay in updating the software could leave networks susceptible to unauthorized access and data breaches.