SMA 100 Series OpenSSL Library Update in 10.2.1.7
We are pleased to be announcing the general availability of SMA 100 10.2.1.7 release supporting all SMA models (SMA410, SMA210, SMA400, SMA200, SMA500v for ESXi, SMA500v for HyperV, SMA500v for KVM, SMA500v for AWS, SMA500v for Azure)
This release includes several key security features that protect the operating system from potential attack as well as updates to the OpenSSL Library. For more details on any of these features, please refer to the SMA 100 10.2.1 administration guide or the release notes. Links have been provided below.
- New Firmware Availability Notifications: New firmware upgrade notifications will appear on System-licenses page of the SMA100 to notify customers that a newer firmware is available for upgrade. SonicWall recommends using the latest firmware version for highest security and optimal performance.
- OpenSSL version upgrade: OpenSSL library is updated to version 1.1.1t. This version fixes the OpenSSL vulnerability documented in CVE-2022-4304: A timing-based side channel exists in the OpenSSL RSA Decryption implementation.
- Additional Security Enhancements:
a. Enforce WAF to protect the SMA100 itself. WAF service has been automatically enforced for self-protection. To enable WAF for appliance offloading portal, an active WAF license will still be required.
b. Enforce good security practices by providing warnings to customers to turn on two-Factors Authentication (2FA), Password Expiration, and Web Application Firewall.
c. Disable user added custom scripts that run automatically after boot up while deploying SMA 500v in AWS or Azure environments. (Due to this security enforcement the user scripts deployed in SMA 500v will not function. Existing user scripts prior to upgrading to version 10.2.1.7 will not function after this upgrade)
d. Additional security checks are done to verify the integrity of the firmware.
e. Restricting traffic: If a firmware integrity issue is detected on a specific unit, the SMA will restrict its own initiated outbound communications for security reasons. This will not affect any user's VPN access to applications or any resource on the network. Outbound email and syslog communication will be impacted from the SMA 100 unit. This behavior will be reversed after upgrading to release that has the security fixes for the firmware integrity issues.
Resolution
Upgrade your SMA Firmware Image to SMA 10.2.1.7-50sv using the instructions given below:
- Navigate to System | Settings, click Export Settings. You will get a prompt to save to a location.
TIP: It is always a good idea to have a saved settings file in case of a problem or to re-provision the appliance quickly in case of hardware replacement - Once you have the settings exported you can download the firmware from mysonicwall.com.
- Once logged in navigate to Downloads. In the drop down for Software Type choose the hardware platform you are going to upgrade.
- Click on the latest firmware link.
- From the web interface of the SMA appliance navigate to System | Settings. Click Upload New Firmware
- Browse to the downloaded firmware. Once the file has finished uploading you will see the new version in New Firmware.
- Click New Firmware.
CAUTION: Make sure Boot with factory default settings is OFF. If this is ON, then it will remove all your settings and the appliance will be in factory defaulted state. - Click on the Boot button. The device will boot. Wait for the login page.
- Login to the appliance and verify that the appliance upgraded successfully by going to System | Status.