Dell SonicWALL Notice Concerning CVE-2014-6271 / CVE-2014-7169 – GNU Bash Vulnerability Dear Customer, Researchers have found a critical vulnerability ( CVE-2014-6271 / CVE-2014-7169 ) in the GNU Bash shell (aka “ShellShock”) which was reported on the NIST National Vulnerability Database on 9/24/2014. Dell SonicWALL Firewalls are NOT Affected Dell SonicWALL firewalls (TZ, NSA, E-Class NSA, SuperMassive) are NOT affected by the GNU Bash vulnerability (no Bash or other *nix shells exist in SonicOS). Additionally, firewalls with an active Intrusion Prevention Service, as of Sep 24th 2014, have signatures to protect vulnerable servers and devices positioned behind the firewalls. Dell SonicWALL E-Class Secure Remote Access/Secure Mobile Access are NOT Affected The E-Class Secure Remote Access (E-Class SRA) and Secure Mobile Access (SMA) appliance products are NOT vulnerable (the GNU Bash shell is not utilized internally for product functionality). SMB Secure Remote Access (SMB SRA) Appliance Firmware Versions Affected, IF Web Application Firewall (WAF) is NOT Enabled SMB SRA Firmware All 7.5 versions prior to 7.5.0.10-27sv All 7.0 and earlier versions prior to 7.0.1.1-3sv Impact The SRA’s Web Application Firewall (WAF) protection should be enabled as the SRA’s WAF functionality provides itself protection (SRA is NOT affected when enabled). Affected versions/configurations should patch and/or enable WAF immediately (instructions below). Recommended Action Upgrade 7.5 to 7.5.0.10-27sv (or newer) Upgrade 7.0 to 7.0.1.1-3sv (or newer) SMB Secure Remote Access (SMB SRA) Web Application Firewall (WAF) Provides Protection Against GNU Bash Vulnerability Dell SonicWALL has released a WAF signature (1603 Bash Code Injection) for the SMB SRA which protects the SMB SRA appliance itself, as well as web servers and devices behind the SRA. To configure the WAF protection, go to the ‘Web Application Firewall > Status’ tab and enable Web Application Firewall. If ‘Apply Signature Updates Automatically’ is enabled, then Signatures should take effect automatically. If it is not enabled, then admins have to manually go into Web Application Firewall > Status page and click on ‘Apply’ Check the box for High/Medium Priority Attacks for both Detect and Prevent. To verify the configuration search for Signatures 9011 and 6013 and ensure they are enabled for both detection and prevention on the ‘Web Application Firewall > Signatures’ page For more advanced WAF Configuration please reference the WAF Admin Guide. Email Security Appliance Firmware Versions Affected Email Security Appliance Email Security Appliances running version 8.0.3 or earlier. Impact The Email Security appliance is NOT vulnerable through the standard access ports, such as SMTP (port 25) or HTTP/HTTPS web user interfaces (port 80/443), however for versions 8.0.3 or earlier, the appliance CLI (snwlcli) accessed via SSH is vulnerable, and the CLI should be disabled as a workaround or upgrade to 8.0.4+ (or 7.4.8 patch). For versions 8.0.3 or earlier, disable the appliance CLI (snwlcli) as workaround (instructions below), then upgrade to Email Security 8.0.4 (or 7.4.8 patch) during next maintenance cycle. Recommended Action Email Security Appliance Instructions to Disable SSH to CLI (snwlcli) To disable SSH to CLI, login to the CLI (either using SSH, the serial port console, or the KVM connection on the appliance). $ ssh snwlcli@emailsecurityappliance For CLI access you must login as snwlcli user. Login: admin Password: SNWLCLI> help sshd sshd [{on|off}] With no arguments displays sshd status With on or off, enables or disables sshd SNWLCLI> sshd off SNWLCLI> quit Connection to emailsecurityappliance closed. Now SSH connection is refused $ ssh snwlcli@ emailsecurityappliance ssh: connect to host emailsecurityappliance port 22: Connection refused To re-enable SSH, access the snwlcli from the serial port console or from the KVM connection on the back of the appliance. Management and Reporting Appliance Firmware Versions Affected Global Management System (GMS) and Analyzer / Viewpoint Appliance Impact Recommended Action GMS /Analyzer / Viewpoint Appliances running version 7.2 or earlier. The GMS / Analyzer / Viewpoint appliance is NOT vulnerable through the standard access ports, such HTTP/HTTPS web user interfaces (port 80/443), however for versions earlier than 7.2.7222.1727, the appliance CLI (snwlcli) accessed via SSH is vulnerable, and the hotfix below should be applied. Apply Hotfix: 7.2: sw_gmsvp_all_eng_7.2.hotfix.dts.150000.sig 7.1: sw_gmsvp_all_eng_7.1.hotfix.dts.150000.sig 7.0: sw_gmsvp_all_eng_7.0.hotfix.dts.150000.sig 6.0: sw_gmsvp_all_eng_6.0.hotfix.dts.150000.sig 5.1: sw_gmsvp_all_eng_5.1.hotfix.dts.150000.sig For new installs, deploy version 7.2.7222.1727 or greater.