A vulnerability in SonicOS allow authenticated read-only admin can elevate permissions to configuration mode. This vulnerability affected SonicOS Gen 5 version 5.9.1.12-4o and earlier, Gen 6 version 6.2.7.4-32n, 6.5.1.4-4n, 6.5.2.3-4n, 6.5.3.3-3n, 6.2.7.10-3n, 6.4.1.0-3n, 6.5.3.3-3n, 6.5.1.9-4n and SonicOSv 6.5.0.2-8v_RC363 (VMWARE), 6.5.0.2.8v_RC367 (AZURE), SonicOSv 6.5.0.2.8v_RC368 (AWS), SonicOSv 6.5.0.2.8v_RC366 (HYPER_V).
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Sonicos | Sonicwall | * | 5.9.1.12-4o (including) |
Sonicos | Sonicwall | 6.2.7.4-32n (including) | 6.2.7.4-32n (including) |
Sonicos | Sonicwall | 6.2.7.10-3n (including) | 6.2.7.10-3n (including) |
Sonicos | Sonicwall | 6.4.1.0-3n (including) | 6.4.1.0-3n (including) |
Sonicos | Sonicwall | 6.5.1.4-4n (including) | 6.5.1.4-4n (including) |
Sonicos | Sonicwall | 6.5.1.9-4n (including) | 6.5.1.9-4n (including) |
Sonicos | Sonicwall | 6.5.2.3-4n (including) | 6.5.2.3-4n (including) |
Sonicos | Sonicwall | 6.5.3.3-3n (including) | 6.5.3.3-3n (including) |
Sonicosv | Sonicwall | 6.5.0.2.8v (including) | 6.5.0.2.8v (including) |
Sonicosv | Sonicwall | 6.5.0.2.8v-rc363 (including) | 6.5.0.2.8v-rc363 (including) |
Sonicosv | Sonicwall | 6.5.0.2.8v-rc366 (including) | 6.5.0.2.8v-rc366 (including) |
Sonicosv | Sonicwall | 6.5.0.2.8v-rc367 (including) | 6.5.0.2.8v-rc367 (including) |
Sonicosv | Sonicwall | 6.5.0.2.8v-rc368 (including) | 6.5.0.2.8v-rc368 (including) |
Assuming a user with a given identity, authorization is the process of determining whether that user can access a given resource, based on the user’s privileges and any permissions or other access-control specifications that apply to the resource. When access control checks are not applied consistently - or not at all - users are able to access data or perform actions that they should not be allowed to perform. This can lead to a wide range of problems, including information exposures, denial of service, and arbitrary code execution.