22 April 2021
Event Summary
SonicWALL has disclosed multiple zero-day vulnerabilities in their email security products and has issued a statement urging customers to apply updated firmware and security patches. These vulnerabilities affect both their on-premises and hosted email security products. They have observed at least one exploit attempt “in the wild” with the potential for more. These vulnerabilities could allow an attacker to install a backdoor, access files and emails, or move laterally throughout the network.
SonicWALL Vulnerability Details
CVE-2021-20021 – Email Security Pre-Authentication Administrative Account Creation vulnerability. This allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.
Affected versions: Email Security 10.0.1, 10.0.2, 10.0.3, 10.0.4 (present)
CVE-2021-20022 – Email Security Post-Authentication Arbitrary File Creation vulnerability. This allows a post-authenticated attacker to upload an arbitrary file to the remote host.
Affected versions: Email Security 10.0.1, 10.0.2, 10.0.3, 10.0.4 (present)
CVE-2021-20023 – Email Security Post-Authentication Arbitrary File Read vulnerability. This allows a post-authenticated attacker to read an arbitrary file on the remote host.
Affected versions: Email Security 10.0.1, 10.0.2, 10.0.3, 10.0.4 (present)
SonicWALL Email Security versions 7.0.0-9.2.2 are also impacted by the above vulnerabilities. These are legacy versions and have reached end of life (EOL) but SonicWALL has provided security updates for customers with an active support license.
Recommendations
SonicWALL has released security patches for all three of these vulnerabilities. For customers utilizing the Hosted Email Security, these vulnerabilities were automatically patched on Monday, April 19th and no action is needed.
For customers utilizing on-premises email security appliances, SonicWALL has provided firmware/security patches with a step by step guide here. We recommend that customers using SonicWALL on-premises email security appliances to patch these vulnerabilities as soon as possible.
SOD Actions
The Security On-Demand Threat Recon Unit will continue to monitor these events, and will notify you of any important updates. Patching these vulnerabilities is of paramount importance and should be done immediately, if regular patching has not already been applied. SOD’s Security Operations Center is aware of these vulnerabilities and will continue to scan and monitor your systems for any suspicious activity.
The Security Operations Center also continues to provide a monthly list of managed device vulnerabilities in order to identify key vulnerabilities prior to exploitation. We will continue to monitor this activity and provide any critical updates as more information is provided. Please contact us if you have any questions or concerns.
Sources
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20021
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20022
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20023
