Welcome to our NEW support portal! We are now SonicWall, with a dedicated support site. Learn more.

SonicWALL NSA Series Product Notification

Self Service Tools
Knowledge Base
My SonicWall
Product Support
Professional Services
Software Downloads
Technical Documentation
Training and Certification
Video Tutorials
Support Essentials
Getting Started
License Agreement
Support Guide
Return
Critical Issue

SonicWall Notice Concerning CVE-2014-6271 / CVE-2014-7169 / CVE-2014-6277/CVE-2014-6278  "GNU Bash Vulnerability"


Dear Customer,

Researchers have found a critical vulnerability ( CVE-2014-6271 / CVE-2014-7169 / CVE-2014-6277 / CVE-2014-6278 ) in the GNU Bash shell (aka "ShellShock") which was reported on the NIST National Vulnerability Database on 9/24/2014.

SonicWall Firewalls are NOT Affected

SonicWall firewalls (TZ, NSA, E-Class NSA, SuperMassive) are NOT affected by the GNU Bash vulnerability (no Bash or other *nix shells exist in SonicOS). Additionally, firewalls with an active Intrusion Prevention Service, as of Sep 24th 2014, have signatures to protect vulnerable servers and devices positioned behind the firewalls.

SonicWall E-Class Secure Remote Access/Secure Mobile Access are NOT Affected

The E-Class Secure Remote Access (E-Class SRA) and Secure Mobile Access (SMA) appliance products are NOT vulnerable (the GNU Bash shell is not utilized internally for product functionality).

SMB Secure Remote Access (SMB SRA) Appliance Firmware Versions Affected, IF Web Application Firewall (WAF) is NOT Enabled

SMB SRA FirmwareAll 7.5 versions prior to 7.5.0.10-27sv
All 7.0 and earlier versions prior to 7.0.1.1-3sv
ImpactThe SRA™s Web Application Firewall (WAF) protection should be enabled as the SRA's WAF functionality provides itself protection (SRA is NOT affected when enabled). Affected versions/configurations should patch and/or enable WAF immediately (instructions below).
Recommended ActionUpgrade 7.5 to 7.5.0.10-29sv (or newer)
Upgrade 7.0 to 7.0.1.1-5sv (or newer)

SMB Secure Remote Access (SMB SRA) Web Application Firewall (WAF) Provides Protection Against GNU Bash Vulnerability

SonicWall has released a WAF signature (1603 Bash Code Injection) for the SMB SRA which protects the SMB SRA appliance itself, as well as web servers and devices behind the SRA.

To configure the WAF protection, go to the "Web Application Firewall > Status" tab and enable Web Application Firewall. If "Apply Signature Updates Automatically" is enabled, then Signatures should take effect automatically. If it is not enabled, then admins have to manually go into Web Application Firewall > Status page and click on "Apply"

Check the box for High/Medium Priority Attacks for both Detect and Prevent.

To verify the configuration search for Signatures 9011 and 1603 and ensure they are enabled for both detection and prevention on the ˜Web Application Firewall > Signatures" page


For more advanced WAF Configuration please reference the WAF Admin Guide.

Email Security Appliance Firmware Versions Affected

Email Security ApplianceEmail Security Appliances running version 8.0.3 or earlier.
ImpactThe Email Security appliance is NOT vulnerable through the standard access ports, such as SMTP (port 25) or HTTP/HTTPS web user interfaces (port 80/443), however for versions 8.0.3 or earlier, the appliance CLI (SNWLCLI) accessed via SSH is vulnerable, and the CLI should be disabled as a workaround or upgrade to 8.0.4+ (or 7.4.8 patch).
Recommended ActionFor versions 8.0.4 or earlier, disable the appliance CLI (SNWLCLI) as workaround (instructions below), then upgrade to Email Security 8.0.5 (or 7.4.8 patch) during next maintenance cycle.

Email Security Appliance Instructions to Disable SSH to CLI (SNWLCLI)

To disable SSH to CLI, login to the CLI (either using SSH, the serial port console, or the KVM connection on the appliance).

$ ssh snwlcli@emailsecurityappliance
For CLI access you must login as snwlcli user.
Login: admin
Password:
SNWLCLI> help sshd
sshd [{on|off}]
With no arguments displays sshd status
With on or off, enables or disables sshd
SNWLCLI> sshd off
SNWLCLI> quit
Connection to emailsecurityappliance closed.

Now SSH connection is refused
$ ssh snwlcli@ emailsecurityappliance
ssh: connect to host emailsecurityappliance port 22: Connection refused

To re-enable SSH, access the snwlcli from the serial port console or from the KVM connection on the back of the appliance.

Management and Reporting Appliance Firmware Versions Affected

Global Management System (GMS) and Analyzer / ViewPoint ApplianceGMS /Analyzer / ViewPoint Appliances running version 7.2 or earlier.
ImpactThe GMS / Analyzer / ViewPoint appliance is NOT vulnerable through the standard access ports, such HTTP/HTTPS web user interfaces (port 80/443), however for versions earlier than 7.2.7222.1730, the appliance CLI (SNWLCLI) accessed via SSH is vulnerable, and the hotfix below should be applied.
Recommended ActionApply Hotfix:
7.2: sw_gmsvp_all_eng_7.2.hotfix.dts.150000.sig
7.1: sw_gmsvp_all_eng_7.1.hotfix.dts.150000.sig
7.0: sw_gmsvp_all_eng_7.0.hotfix.dts.150000.sig
6.0: sw_gmsvp_all_eng_6.0.hotfix.dts.150000.sig
5.1: sw_gmsvp_all_eng_5.1.hotfix.dts.150000.sig

For new installs, deploy version 7.2.7222.1730 or greater.