Product Notice: Improper Access Control Vulnerability in SonicOS

First Published:08/22/2024

Last Updated:10/31/2024

Overview

An improper access control vulnerability has been identified in the SonicWall SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash.

This issue affects SonicWall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.
This vulnerability is potentially being exploited in the wild.

Please apply the patch as soon as possible for affected products. The latest patch builds are available for download on mysonicwall.com.

Product Impact

Please review the table below to see if your firewall appliance is impacted. If your appliance is using an impacted firmware version, please follow the provided patch guidance.

Gen	Impacted Models	Impacted Version
Gen5	SOHO	SonicOS 5.9.2.14-2o and earlier versions
Gen 6/6.5	SOHOW, TZ 300, TZ 300W, TZ 400, TZ 400W, TZ 500, TZ 500W, TZ 600, NSA 2650, NSA 3600, NSA 3650, NSA 4600, NSA 4650, NSA 5600, NSA 5650, NSA 6600, NSA 6650, SM 9200, SM 9250, SM 9400, SM 9450, SM 9600, SM 9650, TZ 300P, TZ 600P, SOHO 250, SOHO 250W, TZ 350, TZ 350W	SonicOS 6.5.4.14-109n and earlier versions
Gen 7	TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700, NSv 270, NSv 470, NSv 870	SonicOS 7.0.1-5035 and earlier versions

NOTE:Gen6 NSv(virtual firewalls) are not impacted.

Workaround

To minimize potential impact, we recommend restricting firewall management to trusted sources or disabling firewall WAN management from Internet access. Similarly, for SSLVPN, please ensure that access is limited to trusted sources, or disable SSLVPN access from the Internet.

For more information about disabling firewall WAN management access, see: How can I restrict admin access to the device?

For more information about disabling firewall SSLVPN access, see: How can I setup SSL-VPN?

Apply the patch as soon as possible for impacted products, latest patch builds are available for download on mysonicwall.com.

If you have any further questions on restricting/disabling WAN management or SSLVPN access or require additional information, please contact SonicWall Technical Support.

Remediation

Users will need to upgrade their impacted models to the versions mentioned in the table below if they are running SonicOS version which is impacted by this vulnerability.

Gen	Fixed Models	Fixed Version
Gen5	SOHO	SonicOS 5.9.2.14-13o
Gen 6	SOHOW, TZ 300, TZ 300W, TZ 400, TZ 400W, TZ 500, TZ 500W, TZ 600, NSA 2650, NSA 3600, NSA 3650, NSA 4600, NSA 4650, NSA 5600, NSA 5650, NSA 6600, NSA 6650, SM 9200, SM 9250, SM 9400, SM 9450, SM 9600, SM 9650, TZ 300P, TZ 600P, SOHO 250, SOHO 250W, TZ 350, TZ 350W	SonicOS 6.5.4.15-116n and higher
Gen 7	TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700, NSv 270, NSv 470, NSv 870	This vulnerability is not reproducible in SonicOS firmware version higher than 7.0.1-5035. However, SonicWall recommends you install the latest firmware mentioned below: SonicOS 7.1.1-7058, SonicOS 7.0.1-5161, SonicOS 7.1.2-7019

NOTE: If you are already running SonicOS 7.1.1-7058 then you do not require any additional action at this moment.

IMPORTANT:
SonicWall strongly advises that customers using GEN5 and GEN6 firewalls with SSLVPN users who have locally managed accounts immediately update their passwords to enhance security and prevent unauthorized access. Users can change their passwords if the "User must change password" option is enabled on their account. Administrators must manually enable the "User must change password" option for each local account to ensure this critical security measure is enforced.

NSA 2600, Gen 5 and older units which are EoL (End of Life) are susceptible to this exploit and there will not be a software update released for these out-of-support units. If you or your clients are using older, unsupported SonicWall firewalls, please make sure that WAN management and SSL VPN access is disabled immediately and that any such units are upgraded to a current generation device ASAP.

TIP: SonicOS automation can be used in order to enforce password change, enforce OTP and assist in firewall firmware updates. Please refer to https://github.com/sonicwall/sonicos-automation/

For GEN5 Firewalls:

Navigate to Users|Local Users. For more details, please refer to pages 1340 and 1341 of the SonicOS 5.9 Administrators Guide, titled "Managing Users and Authentication Settings." Resource: SonicOS 5.9 Administrators Guide

For GEN6 Firewalls:

Navigate to MANAGE | System Setup | Users|Local Users & Groups. For more details, please refer to pages 227 and 228 of the SonicOS 6.5 System Setup Administration Guide, titled "Configuring Local Users Settings." Resource: SonicOS 6.5 System Setup Administration Guide

Additionally, SonicWall recommends enabling MFA (TOTP or Email-based OTP) for all SSLVPN users. Resource: How do I configure 2FA for SSL VPN with TOTP?

Related information

PSIRT ADVISORY SNWLID-2024-0015
How can I upgrade SonicOS on Gen7 Firewalls?
SonicOS 7.1.1 FAQ

Previous Notice

Product Notice: SMA 1000 Series affected by Remote Code Execution in SSH vulnerability

Product Notice: Improper Access Control Vulnerability in SonicOS

Overview

Product Impact

Workaround

Remediation

Related information

Follow Us

Subscribe to newsletter

Stay In Touch