Security Advisory: SonicWall firewall - management vulnerabilities
08/03/2020 
476 
23759
DESCRIPTION:
SonicWall physical firewall appliances running certain versions of SonicOS contain vulnerabilities in code utilized for remote management. At this time, there is no indication that the discovered vulnerabilities are being exploited in the wild, however:
SonicWall STRONGLY advises to apply the SonicOS patch immediately.
CAUTION: IF you cannot update immediately, as a mitigation please restrict SonicWall management access (HTTPS/HTTP/SSH) to trusted sources and/or disable management access from untrusted Internet sources, then apply the SonicOS patch as soon as possible.
NOTE: SonicWall will communicate any future updates via this Security Advisory and SonicWall PSIRT Advisory SNWLID-2019-0009.
RESOLUTION:
Updating SonicOS Firmware (Recommended)
After reviewing this security advisory, please go to MySonicWall and download the appropriate SonicOS patch release from the table below. The following provides information on How to Update SonicOS Firmware.
SonicOS Patch Releases
In the table below, find the existing SonicOS version that a firewall is currently running, (SonicOS Running Version); then select the SonicOS patch release from the same row, download that version from mysonicwall.com, and update SonicOS firmware using the steps linked above.
Platforms: NSA, TZ, SOHO (GEN5): |
SonicOS Running Version | SonicOS Patch release (Update to version or later) |
5.8.x.x and earlier | Patch not required. |
5.9.0.x (5.9.0.0 to 5.9.0.7) | 5.9.0.8 |
5.9.1.x (5.9.1.0 to 5.9.1.12) | 5.9.1.13 |
| |
Platforms: NSA, TZ, SOHO, SuperMassive 92xx/94xx/96xx (GEN6+) |
SonicOS Running Version | SonicOS Patch release (Update to version or later) |
6.1.x.x | Patch not required. |
6.2.x.x (6.2.0.0 to 6.2.3.1) | 6.2.3.2 |
6.2.4.x (6.2.4.0 to 6.2.4.3) | 6.2.4.4 |
6.2.5.x (6.2.5.0 to 6.2.5.3) | 6.2.5.4 |
6.2.6.x (6.2.6.0 to 6.2.6.1) | 6.2.6.2 |
6.2.7.x (6.2.7.0 to 6.2.7.4) | 6.2.7.5 |
6.2.9.x (6.2.9.0 to 6.2.9.2) | 6.2.9.3 |
6.5.0.x (6.5.0.0 to 6.5.0.3) | 6.5.0.4 |
6.5.1.x (6.5.1.0 to 6.5.1.4) | 6.5.1.5 |
6.5.2.x (6.5.2.0 to 6.5.2.3) | 6.5.2.4 |
6.5.3.x (6.5.3.0 to 6.5.3.3) | 6.5.3.4 |
6.5.4.x (6.5.4.0 to 6.5.4.3) | 6.5.4.4 |
| |
Platforms: SuperMassive 12K, 10K, 9800 |
SonicOS Running Version | SonicOS Patch release (Update to version or later) |
6.0.x.x | Patch not required. |
6.2.7.x | 6.2.7.11 |
6.4.1.x | 6.4.1.1 |
6.5.1.x | 6.5.1.10 |
Platforms: NSv (virtual: vmware/hyperv/aws/azure/kvm) |
SonicOS Running Version | SonicOS Patch release |
All versions (virtual) | Patch not required. |
SonicWall has provided patches for recent major and minor releases, as shown in the table above. For devices with hotfixes or language specific releases, please follow the instructions above to restrict SonicWall management access (HTTPS/HTTP/SSH) to trusted sources and/or disable management access from untrusted Internet sources, and then coordinate with SonicWall support to select the appropriate patch with hotfix including (DTS) 219154.
Restrict access to SonicWall management (Best Practice)
SonicWall strongly recommends that administrators limit SonicOS management access to trusted sources, and/or disable management access from untrusted Internet sources, by modifying the existing SonicOS Management access rules (SSH/HTTPS/HTTP Management) to allow management access only from trusted source IP addresses. Please refer to the following knowledge base articles:
Plan to update to the latest SonicOS releases (Best Practice):
The weaponization of published vulnerabilities against old software serves as an important reminder that customers should never procrastinate software updates, as they are one of the most important steps you can take to secure your infrastructure against today’s rapidly-evolving threat landscape.
In addition to security fixes, recent major software updates also often include new or enhanced features, or offer better compatibility. They also improve the stability of your software and remove outdated features. All of these updates are aimed at making the user experience better while keeping customers secure.
Secure Upgrade
SonicWall’s newest generation of appliances run the most advanced security software, including Capture Security Services with RTDMI (Real-time Deep Memory Inspection). Relying on legacy security solutions increases the risk of exposure in today’s environment of zero-days and rapidly-evolving threats. SonicWall strongly recommends utilizing Secure Upgrade—the customer loyalty offering to replace legacy solutions with the most advanced security technology available. Contact your current SonicWall Partner and local SonicWall Team today to learn more about Secure Upgrade options.
There are two ways to contact technical support:
1. Online: Visit mysonicwall.com. Once logged in select Resources & Support | Support | Create Case.
2. By phone: please use our toll-free number at 1-888-793-2830. Please have your SonicWall serial number available to create a new support case.
If you do not have a mysonicwall.com account create one for free!
ISSUE ID:
219154
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Network Security ManagerModern Security Management for today’s security landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Email SecurityProtect against today’s advanced email threats
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
