Dell SonicWALL Notice Concerning CVE-2014-6271 / CVE-2014

Dell SonicWALL Notice Concerning CVE-2014-6271 / CVE-2014-7169 – GNU Bash
Vulnerability
Dear Customer,
Researchers have found a critical vulnerability ( CVE-2014-6271 / CVE-2014-7169 ) in the GNU
Bash shell (aka “ShellShock”) which was reported on the NIST National Vulnerability Database
on 9/24/2014.
Dell SonicWALL Firewalls are NOT Affected
Dell SonicWALL firewalls (TZ, NSA, E-Class NSA, SuperMassive) are NOT affected by the GNU
Bash vulnerability (no Bash or other *nix shells exist in SonicOS). Additionally, firewalls with
an active Intrusion Prevention Service, as of Sep 24th 2014, have signatures to protect
vulnerable servers and devices positioned behind the firewalls.
Dell SonicWALL E-Class Secure Remote Access/Secure Mobile Access are NOT Affected
The E-Class Secure Remote Access (E-Class SRA) and Secure Mobile Access (SMA) appliance
products are NOT vulnerable (the GNU Bash shell is not utilized internally for product
functionality).
SMB Secure Remote Access (SMB SRA) Appliance Firmware Versions Affected, IF Web
Application Firewall (WAF) is NOT Enabled
SMB SRA Firmware
All 7.5 versions prior to 7.5.0.10-27sv
All 7.0 and earlier versions prior to 7.0.1.1-3sv
Impact
The SRA’s Web Application Firewall (WAF) protection
should be enabled as the SRA’s WAF functionality provides
itself protection (SRA is NOT affected when enabled).
Affected versions/configurations should patch and/or
enable WAF immediately (instructions below).
Recommended Action
Upgrade 7.5 to 7.5.0.10-27sv (or newer)
Upgrade 7.0 to 7.0.1.1-3sv (or newer)
SMB Secure Remote Access (SMB SRA) Web Application Firewall (WAF) Provides Protection
Against GNU Bash Vulnerability
Dell SonicWALL has released a WAF signature (1603 Bash Code Injection) for the SMB SRA
which protects the SMB SRA appliance itself, as well as web servers and devices behind the
SRA.
To configure the WAF protection, go to the ‘Web Application Firewall > Status’ tab and
enable Web Application Firewall. If ‘Apply Signature Updates Automatically’ is enabled, then
Signatures should take effect automatically. If it is not enabled, then admins have to
manually go into Web Application Firewall > Status page and click on ‘Apply’
Check the box for High/Medium Priority Attacks for both Detect and Prevent.
To verify the configuration search for Signatures 9011 and 6013 and ensure they are enabled
for both detection and prevention on the ‘Web Application Firewall > Signatures’ page
For more advanced WAF Configuration please reference the WAF Admin Guide.
Email Security Appliance Firmware Versions Affected
Email Security Appliance
Email Security Appliances running version 8.0.3 or earlier.
Impact
The Email Security appliance is NOT vulnerable through
the standard access ports, such as SMTP (port 25) or
HTTP/HTTPS web user interfaces (port 80/443), however
for versions 8.0.3 or earlier, the appliance CLI (snwlcli)
accessed via SSH is vulnerable, and the CLI should be
disabled as a workaround or upgrade to 8.0.4+ (or 7.4.8
patch).
For versions 8.0.3 or earlier, disable the appliance CLI
(snwlcli) as workaround (instructions below), then
upgrade to Email Security 8.0.4 (or 7.4.8 patch) during
next maintenance cycle.
Recommended Action
Email Security Appliance Instructions to Disable SSH to CLI (snwlcli)
To disable SSH to CLI, login to the CLI (either using SSH, the serial port console, or the KVM
connection on the appliance).
$ ssh [email protected]
For CLI access you must login as snwlcli user.
Login: admin
Password:
SNWLCLI> help sshd
sshd [{on|off}]
With no arguments displays sshd status
With on or off, enables or disables sshd
SNWLCLI> sshd off
SNWLCLI> quit
Connection to emailsecurityappliance closed.
Now SSH connection is refused
$ ssh [email protected] emailsecurityappliance
ssh: connect to host emailsecurityappliance port 22: Connection
refused
To re-enable SSH, access the snwlcli from the serial port console or from the KVM connection on the
back of the appliance.
Management and Reporting Appliance Firmware Versions Affected
Global Management System
(GMS) and Analyzer /
Viewpoint Appliance
Impact
Recommended Action
GMS /Analyzer / Viewpoint Appliances running version 7.2
or earlier.
The GMS / Analyzer / Viewpoint appliance is NOT
vulnerable through the standard access ports, such
HTTP/HTTPS web user interfaces (port 80/443), however
for versions earlier than 7.2.7222.1727, the appliance CLI
(snwlcli) accessed via SSH is vulnerable, and the hotfix
below should be applied.
Apply Hotfix:
7.2: sw_gmsvp_all_eng_7.2.hotfix.dts.150000.sig
7.1: sw_gmsvp_all_eng_7.1.hotfix.dts.150000.sig
7.0: sw_gmsvp_all_eng_7.0.hotfix.dts.150000.sig
6.0: sw_gmsvp_all_eng_6.0.hotfix.dts.150000.sig
5.1: sw_gmsvp_all_eng_5.1.hotfix.dts.150000.sig
For new installs, deploy version 7.2.7222.1727 or
greater.