ANNOUNCEMENT: Security On-Demand Announces ThreatWatch Response and Remediation Service | SEE RELEASE
SonicWall

Threat Flash Alert: Multiple Zero-Day Vulnerabilities Found in SonicWALL Email Security Products

22 April 2021

Event Summary

SonicWALL has disclosed multiple zero-day vulnerabilities in their email security products and has issued a statement urging customers to apply updated firmware and security patches.  These vulnerabilities affect both their on-premises and hosted email security products.  They have observed at least one exploit attempt “in the wild” with the potential for more.  These vulnerabilities could allow an attacker to install a backdoor, access files and emails, or move laterally throughout the network.

 

SonicWALL Vulnerability Details

CVE-2021-20021 – Email Security Pre-Authentication Administrative Account Creation vulnerability. This allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.

Affected versions: Email Security 10.0.1, 10.0.2, 10.0.3, 10.0.4 (present)

CVE-2021-20022 – Email Security Post-Authentication Arbitrary File Creation vulnerability. This allows a post-authenticated attacker to upload an arbitrary file to the remote host.

Affected versions: Email Security 10.0.1, 10.0.2, 10.0.3, 10.0.4 (present)

CVE-2021-20023 –  Email Security Post-Authentication Arbitrary File Read vulnerability. This allows a post-authenticated attacker to read an arbitrary file on the remote host.

Affected versions: Email Security 10.0.1, 10.0.2, 10.0.3, 10.0.4 (present)

SonicWALL Email Security versions 7.0.0-9.2.2 are also impacted by the above vulnerabilities.  These are legacy versions and have reached end of life (EOL) but SonicWALL has provided security updates for customers with an active support license.

 

Recommendations

SonicWALL has released security patches for all three of these vulnerabilities. For customers utilizing the Hosted Email Security, these vulnerabilities were automatically patched on Monday, April 19th and no action is needed.

For customers utilizing on-premises email security appliances, SonicWALL has provided firmware/security patches with a step by step guide here. We recommend that customers using SonicWALL on-premises email security appliances to patch these vulnerabilities as soon as possible.

 

SOD Actions

The Security On-Demand Threat Recon Unit will continue to monitor these events, and will notify you of any important updates. Patching these vulnerabilities is of paramount importance and should be done immediately, if regular patching has not already been applied. SOD’s Security Operations Center is aware of these vulnerabilities and will continue to scan and monitor your systems for any suspicious activity.

The Security Operations Center also continues to provide a monthly list of managed device vulnerabilities in order to identify key vulnerabilities prior to exploitation. We will continue to monitor this activity and provide any critical updates as more information is provided.  Please contact us if you have any questions or concerns.

 

Sources

https://www.bleepingcomputer.com/news/security/sonicwall-warns-customers-to-patch-3-zero-days-exploited-in-the-wild/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20021

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20022

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20023

https://www.sonicwall.com/support/knowledge-base/how-do-i-upgrade-firmware-on-an-email-security-appliance/170504270079039/