Security Advisory: SonicWall Firewall - Management Vulnerabilities
03/26/2020
DESCRIPTION:
SonicWall physical firewall appliances running certain versions of SonicOS contain vulnerabilities in code utilized for remote management. At this time, there is no indication that the discovered vulnerabilities are being exploited in the wild, however:
SonicWall STRONGLY advises to apply the SonicOS patch immediately.
IF you cannot update immediately, as a mitigation please restrict SonicWall management access (HTTPS/HTTP/SSH) to trusted sources and/or disable management access from untrusted Internet sources, then apply the SonicOS patch as soon as possible.
Note: SonicWall will communicate any future updates via this Security Advisory and SonicWall PSIRT Advisory SNWLID-2019-0009.
RESOLUTION:
Updating SonicOS Firmware (Recommended)
After reviewing this security advisory, please go to MySonicWall and download the appropriate SonicOS patch release from the table below. The following provides information on “How to Update SonicOS Firmware”.
- How to Update SonicOS Firmware - Knowledge Base Article
- How to Update SonicOS Firmware - Video:
SonicOS Patch Releases
In the table below, find the existing SonicOS version that a firewall is currently running, (SonicOS Running Version); then select the SonicOS patch release from the same row, download that version from MySonicwall, and update SonicOS Firmware using the steps linked above.
Platforms: NSA, TZ, SOHO (GEN5): | |
SonicOS Running Version | SonicOS Patch release (Update to version or later) |
5.8.x.x and earlier | Patch not required. |
5.9.0.x (5.9.0.0 to 5.9.0.7) | 5.9.0.8 |
5.9.1.x (5.9.1.0 to 5.9.1.12) | 5.9.1.13 |
|
|
Platforms: NSA, TZ, SOHO, SuperMassive 92xx/94xx/96xx (GEN6+) | |
SonicOS Running Version | SonicOS Patch release (Update to version or later) |
6.1.x.x | Patch not required. |
6.2.x.x (6.2.0.0 to 6.2.3.1) | 6.2.3.2 |
6.2.4.x (6.2.4.0 to 6.2.4.3) | 6.2.4.4 |
6.2.5.x (6.2.5.0 to 6.2.5.3) | 6.2.5.4 |
6.2.6.x (6.2.6.0 to 6.2.6.1) | 6.2.6.2 |
6.2.7.x (6.2.7.0 to 6.2.7.4) | 6.2.7.5 |
6.2.9.x (6.2.9.0 to 6.2.9.2) | 6.2.9.3 |
6.5.0.x (6.5.0.0 to 6.5.0.3) | 6.5.0.4 |
6.5.1.x (6.5.1.0 to 6.5.1.4) | 6.5.1.5 |
6.5.2.x (6.5.2.0 to 6.5.2.3) | 6.5.2.4 |
6.5.3.x (6.5.3.0 to 6.5.3.3) | 6.5.3.4 |
6.5.4.x (6.5.4.0 to 6.5.4.3) | 6.5.4.4 |
|
|
Platforms: SuperMassive 12K, 10K, 9800 | |
SonicOS Running Version | SonicOS Patch release (Update to version or later) |
6.0.x.x | Patch not required. |
6.2.7.x | 6.2.7.11 |
6.4.1.x | 6.4.1.1 |
6.5.1.x | 6.5.1.10 |
Platforms: NSv (virtual: vmware/hyperv/aws/azure/kvm) | |
SonicOS Running Version | SonicOS Patch release |
All versions (virtual) | Patch not required. |
SonicWall has provided patches for recent major and minor releases, as shown in the table above. For devices with hotfixes or language specific releases, please follow the instructions above to restrict SonicWall management access (HTTPS/HTTP/SSH) to trusted sources and/or disable management access from untrusted Internet sources, and then coordinate with SonicWall support to select the appropriate patch with hotfix including (DTS) 219154.
Restrict access to SonicWall management (Best Practice)
SonicWall strongly recommends that administrators limit SonicOS management access to trusted sources, and/or disable management access from untrusted Internet sources, by modifying the existing SonicOS Management access rules (SSH/HTTPS/HTTP Management) to allow management access only from trusted source IP addresses. Please refer to the following knowledge base articles:
- Suggested tips when allowing access to SonicWall web management
- How to restrict Admin access to the device
Plan to update to the latest SonicOS releases (Best Practice):
The weaponization of published vulnerabilities against old software serves as an important reminder that customers should never procrastinate software updates, as they are one of the most important steps you can take to secure your infrastructure against today’s rapidly-evolving threat landscape.
In addition to security fixes, recent major software updates also often include new or enhanced features, or offer better compatibility. They also improve the stability of your software and remove outdated features. All of these updates are aimed at making the user experience better while keeping customers secure.
Secure Upgrade
SonicWall’s newest generation of appliances run the most advanced security software, including Capture Security Services with RTDMI (Real-time Deep Memory Inspection). Relying on legacy security solutions increases the risk of exposure in today’s environment of zero-days and rapidly-evolving threats. SonicWall strongly recommends utilizing “Secure Upgrade”—the customer loyalty offering to replace legacy solutions with the most advanced security technology available. Contact your current SonicWall Partner and local SonicWall Team today to learn more about Secure Upgrade options.
Contacting SonicWall Support
There are two ways to contact technical support:
- Online:
Visit MySonicWall.com. If you do not have an account create one for free. Once logged in, select Resources & Support | Support | Create Case. - By phone:
Phone numbers provided at https://www.sonicwall.com/support/contact-support/ .
Please have your SonicWall serial number available to create a new support case.
ISSUE ID:
219154
