- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
Security Advisory: SonicWall Firewall - Management Vulnerabilities
First Published:07/18/2019 
Last Updated:03/26/2020
SonicWall physical firewall appliances running certain versions of SonicOS contain vulnerabilities in code utilized for remote management. At this time, there is no indication that the discovered vulnerabilities are being exploited in the wild, however:
SonicWall STRONGLY advises to apply the SonicOS patch immediately.
IF you cannot update immediately, as a mitigation please restrict SonicWall management access (HTTPS/HTTP/SSH) to trusted sources and/or disable management access from untrusted Internet sources, then apply the SonicOS patch as soon as possible.
Note: SonicWall will communicate any future updates via this Security Advisory and SonicWall PSIRT Advisory SNWLID-2019-0009.
RESOLUTION:
Updating SonicOS Firmware (Recommended)
After reviewing this security advisory, please go to MySonicWall and download the appropriate SonicOS patch release from the table below. The following provides information on “How to Update SonicOS Firmware”.
- How to Update SonicOS Firmware - Knowledge Base Article
- How to Update SonicOS Firmware - Video:
SonicOS Patch Releases
In the table below, find the existing SonicOS version that a firewall is currently running, (SonicOS Running Version); then select the SonicOS patch release from the same row, download that version from MySonicwall, and update SonicOS Firmware using the steps linked above.
Platforms: NSA, TZ, SOHO (GEN5): | |
SonicOS Running Version | SonicOS Patch release (Update to version or later) |
5.8.x.x and earlier | Patch not required. |
5.9.0.x (5.9.0.0 to 5.9.0.7) | 5.9.0.8 |
5.9.1.x (5.9.1.0 to 5.9.1.12) | 5.9.1.13 |
|
|
Platforms: NSA, TZ, SOHO, SuperMassive 92xx/94xx/96xx (GEN6+) | |
SonicOS Running Version | SonicOS Patch release (Update to version or later) |
6.1.x.x | Patch not required. |
6.2.x.x (6.2.0.0 to 6.2.3.1) | 6.2.3.2 |
6.2.4.x (6.2.4.0 to 6.2.4.3) | 6.2.4.4 |
6.2.5.x (6.2.5.0 to 6.2.5.3) | 6.2.5.4 |
6.2.6.x (6.2.6.0 to 6.2.6.1) | 6.2.6.2 |
6.2.7.x (6.2.7.0 to 6.2.7.4) | 6.2.7.5 |
6.2.9.x (6.2.9.0 to 6.2.9.2) | 6.2.9.3 |
6.5.0.x (6.5.0.0 to 6.5.0.3) | 6.5.0.4 |
6.5.1.x (6.5.1.0 to 6.5.1.4) | 6.5.1.5 |
6.5.2.x (6.5.2.0 to 6.5.2.3) | 6.5.2.4 |
6.5.3.x (6.5.3.0 to 6.5.3.3) | 6.5.3.4 |
6.5.4.x (6.5.4.0 to 6.5.4.3) | 6.5.4.4 |
|
|
Platforms: SuperMassive 12K, 10K, 9800 | |
SonicOS Running Version | SonicOS Patch release (Update to version or later) |
6.0.x.x | Patch not required. |
6.2.7.x | 6.2.7.11 |
6.4.1.x | 6.4.1.1 |
6.5.1.x | 6.5.1.10 |
Platforms: NSv (virtual: vmware/hyperv/aws/azure/kvm) | |
SonicOS Running Version | SonicOS Patch release |
All versions (virtual) | Patch not required. |
SonicWall has provided patches for recent major and minor releases, as shown in the table above. For devices with hotfixes or language specific releases, please follow the instructions above to restrict SonicWall management access (HTTPS/HTTP/SSH) to trusted sources and/or disable management access from untrusted Internet sources, and then coordinate with SonicWall support to select the appropriate patch with hotfix including (DTS) 219154.
Restrict access to SonicWall management (Best Practice)
SonicWall strongly recommends that administrators limit SonicOS management access to trusted sources, and/or disable management access from untrusted Internet sources, by modifying the existing SonicOS Management access rules (SSH/HTTPS/HTTP Management) to allow management access only from trusted source IP addresses. Please refer to the following knowledge base articles:
- Suggested tips when allowing access to SonicWall web management
- How to restrict Admin access to the device
Plan to update to the latest SonicOS releases (Best Practice):
The weaponization of published vulnerabilities against old software serves as an important reminder that customers should never procrastinate software updates, as they are one of the most important steps you can take to secure your infrastructure against today’s rapidly-evolving threat landscape.
In addition to security fixes, recent major software updates also often include new or enhanced features, or offer better compatibility. They also improve the stability of your software and remove outdated features. All of these updates are aimed at making the user experience better while keeping customers secure.
Secure Upgrade
SonicWall’s newest generation of appliances run the most advanced security software, including Capture Security Services with RTDMI (Real-time Deep Memory Inspection). Relying on legacy security solutions increases the risk of exposure in today’s environment of zero-days and rapidly-evolving threats. SonicWall strongly recommends utilizing “Secure Upgrade”—the customer loyalty offering to replace legacy solutions with the most advanced security technology available. Contact your current SonicWall Partner and local SonicWall Team today to learn more about Secure Upgrade options.
Contacting SonicWall Support
There are two ways to contact technical support:
- Online:
Visit MySonicWall.com. If you do not have an account create one for free. Once logged in, select Resources & Support | Support | Create Case. - By phone:
Phone numbers provided at https://www.sonicwall.com/support/contact-support/ .
Please have your SonicWall serial number available to create a new support case.
ISSUE ID:
219154
