-
Products
-
Gen 7 Firewalls
SonicWall's Gen 7 platform-ready firewalls offer performance with stability and superior threat protection — all at an industry-leading TCO.
Read More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
Product Notice: Improper Access Control Vulnerability in SonicOS
First Published:08/22/2024
Last Updated:09/05/2024
Overview
An improper access control vulnerability has been identified in the SonicWall SonicOS management access and SSLVPN, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash.
This issue affects SonicWall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.
This vulnerability is potentially being exploited in the wild.
Please apply the patch as soon as possible for affected products. The latest patch builds are available for download on mysonicwall.com.
Product Impact
Please review the table below to see if your firewall appliance is impacted. If your appliance is using an impacted firmware version, please follow the provided patch guidance.
| Gen | Impacted Models | Impacted Version |
| Gen5 | SOHO | SonicOS 5.9.2.14-2o and earlier versions |
| Gen 6/6.5 | SOHOW, TZ 300, TZ 300W, TZ 400, TZ 400W, TZ 500, TZ 500W, TZ 600, NSA 2650, NSA 3600, NSA 3650, NSA 4600, NSA 4650, NSA 5600, NSA 5650, NSA 6600, NSA 6650, SM 9200, SM 9250, SM 9400, SM 9450, SM 9600, SM 9650, TZ 300P, TZ 600P, SOHO 250, SOHO 250W, TZ 350, TZ 350W | SonicOS 6.5.4.14-109n and earlier versions |
| Gen 7 | TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700, NSv 270, NSv 470, NSv 870 |
|
NOTE:Gen6 NSv(virtual firewalls) are not impacted.
Workaround
To minimize potential impact, we recommend restricting firewall management to trusted sources or disabling firewall WAN management from Internet access. Similarly, for SSLVPN, please ensure that access is limited to trusted sources, or disable SSLVPN access from the Internet.
For more information about disabling firewall WAN management access, see: How can I restrict admin access to the device?
For more information about disabling firewall SSLVPN access, see: How can I setup SSL-VPN?
Apply the patch as soon as possible for impacted products, latest patch builds are available for download on mysonicwall.com.
If you have any further questions on restricting/disabling WAN management or SSLVPN access or require additional information, please contact SonicWall Technical Support.
Remediation
Users will need to upgrade their impacted models to the versions mentioned in the table below if they are running SonicOS version which is impacted by this vulnerability.
| Gen | Fixed Models | Fixed Version |
| Gen5 | SOHO | SonicOS 5.9.2.14-13o |
| Gen 6 | SOHOW, TZ 300, TZ 300W, TZ 400, TZ 400W, TZ 500, TZ 500W, TZ 600, NSA 2650, NSA 3600, NSA 3650, NSA 4600, NSA 4650, NSA 5600, NSA 5650, NSA 6600, NSA 6650, SM 9200, SM 9250, SM 9400, SM 9450, SM 9600, SM 9650, TZ 300P, TZ 600P, SOHO 250, SOHO 250W, TZ 350, TZ 350W | SonicOS 6.5.4.15-116n |
| Gen 7 | TZ270, TZ270W, TZ370, TZ370W, TZ470, TZ470W, TZ570, TZ570W, TZ570P, TZ670, NSa 2700, NSa 3700, NSa 4700, NSa 5700, NSa 6700, NSsp 10700, NSsp 11700, NSsp 13700, NSsp 15700, NSv 270, NSv 470, NSv 870 | This vulnerability is not reproducible in SonicOS firmware SonicOS 7.1.1-7058, |
NOTE: If you are already running SonicOS 7.1.1-7058 then you do not require any additional action at this moment.
IMPORTANT:
SonicWall strongly advises that customers using GEN5 and GEN6 firewalls with SSLVPN users who have locally managed accounts immediately update their passwords to enhance security and prevent unauthorized access. Users can change their passwords if the "User must change password" option is enabled on their account. Administrators must manually enable the "User must change password" option for each local account to ensure this critical security measure is enforced.
For GEN5 Firewalls:
Navigate to Users|Local Users. For more details, please refer to pages 1340 and 1341 of the SonicOS 5.9 Administrators Guide, titled "Managing Users and Authentication Settings." Resource: SonicOS 5.9 Administrators Guide
For GEN6 Firewalls:
Navigate to MANAGE | System Setup | Users|Local Users & Groups. For more details, please refer to pages 227 and 228 of the SonicOS 6.5 System Setup Administration Guide, titled "Configuring Local Users Settings." Resource: SonicOS 6.5 System Setup Administration Guide
Additionally, SonicWall recommends enabling MFA (TOTP or Email-based OTP) for all SSLVPN users. Resource: How do I configure 2FA for SSL VPN with TOTP?
Related information
Follow Us
© 2024 SonicWall. All Rights Reserved.