Welcome to our NEW support portal! We are now SonicWall, with a dedicated support site. Learn more.
Researchers have found a critical vulnerability ( CVE-2014-6271 / CVE-2014-7169 / CVE-2014-6277 / CVE-2014-6278 ) in the GNU Bash shell (aka "ShellShock") which was reported on the NIST National Vulnerability Database on 9/24/2014.
SonicWall Firewalls are NOT Affected
SonicWall firewalls (TZ, NSA, E-Class NSA, SuperMassive) are NOT affected by the GNU Bash vulnerability (no Bash or other *nix shells exist in SonicOS). Additionally, firewalls with an active Intrusion Prevention Service, as of Sep 24th 2014, have signatures to protect vulnerable servers and devices positioned behind the firewalls.
SonicWall E-Class Secure Remote Access/Secure Mobile Access are NOT Affected
The E-Class Secure Remote Access (E-Class SRA) and Secure Mobile Access (SMA) appliance products are NOT vulnerable (the GNU Bash shell is not utilized internally for product functionality).
SMB Secure Remote Access (SMB SRA) Appliance Firmware Versions Affected, IF Web Application Firewall (WAF) is NOT Enabled
|SMB SRA Firmware||All 7.5 versions prior to 220.127.116.11-27sv|
All 7.0 and earlier versions prior to 18.104.22.168-3sv
|Impact||The SRA™s Web Application Firewall (WAF) protection should be enabled as the SRA's WAF functionality provides itself protection (SRA is NOT affected when enabled). Affected versions/configurations should patch and/or enable WAF immediately (instructions below).|
|Recommended Action||Upgrade 7.5 to 22.214.171.124-29sv (or newer)|
Upgrade 7.0 to 126.96.36.199-5sv (or newer)
SMB Secure Remote Access (SMB SRA) Web Application Firewall (WAF) Provides Protection Against GNU Bash Vulnerability
SonicWall has released a WAF signature (1603 Bash Code Injection) for the SMB SRA which protects the SMB SRA appliance itself, as well as web servers and devices behind the SRA.
To configure the WAF protection, go to the "Web Application Firewall > Status" tab and enable Web Application Firewall. If "Apply Signature Updates Automatically" is enabled, then Signatures should take effect automatically. If it is not enabled, then admins have to manually go into Web Application Firewall > Status page and click on "Apply"
Check the box for High/Medium Priority Attacks for both Detect and Prevent.
To verify the configuration search for Signatures 9011 and 1603 and ensure they are enabled for both detection and prevention on the ˜Web Application Firewall > Signatures" page
For more advanced WAF Configuration please reference the WAF Admin Guide.
Email Security Appliance Firmware Versions Affected
|Email Security Appliance||Email Security Appliances running version 8.0.3 or earlier.|
|Impact||The Email Security appliance is NOT vulnerable through the standard access ports, such as SMTP (port 25) or HTTP/HTTPS web user interfaces (port 80/443), however for versions 8.0.3 or earlier, the appliance CLI (SNWLCLI) accessed via SSH is vulnerable, and the CLI should be disabled as a workaround or upgrade to 8.0.4+ (or 7.4.8 patch).|
|Recommended Action||For versions 8.0.4 or earlier, disable the appliance CLI (SNWLCLI) as workaround (instructions below), then upgrade to Email Security 8.0.5 (or 7.4.8 patch) during next maintenance cycle.|
Email Security Appliance Instructions to Disable SSH to CLI (SNWLCLI)
To disable SSH to CLI, login to the CLI (either using SSH, the serial port console, or the KVM connection on the appliance).
$ ssh snwlcli@emailsecurityappliance
For CLI access you must login as snwlcli user.
SNWLCLI> help sshd
With no arguments displays sshd status
With on or off, enables or disables sshd
SNWLCLI> sshd off
Connection to emailsecurityappliance closed.
Now SSH connection is refused
$ ssh snwlcli@ emailsecurityappliance
ssh: connect to host emailsecurityappliance port 22: Connection refused
To re-enable SSH, access the snwlcli from the serial port console or from the KVM connection on the back of the appliance.
Management and Reporting Appliance Firmware Versions Affected
|Global Management System (GMS) and Analyzer / ViewPoint Appliance||GMS /Analyzer / ViewPoint Appliances running version 7.2 or earlier.|
|Impact||The GMS / Analyzer / ViewPoint appliance is NOT vulnerable through the standard access ports, such HTTP/HTTPS web user interfaces (port 80/443), however for versions earlier than 7.2.7222.1730, the appliance CLI (SNWLCLI) accessed via SSH is vulnerable, and the hotfix below should be applied.|
|Recommended Action||Apply Hotfix:|
For new installs, deploy version 7.2.7222.1730 or greater.
© 2017 SonicWall Inc. ALL RIGHTS RESERVED. Legal Privacy