SonicWall has released patches to correct three actively exploited vulnerabilities in its on-premises and hosted email security solutions.
The vulnerabilities can be exploited remotely to gain access to SonicWall Email Security hardware and virtual appliances as well as software installations on Microsoft Windows Server. Successful exploitation of the vulnerabilities would allow threat actors to access files and emails, install backdoors into systems, and subsequently move laterally within victims’ networks. In a security advisory about the zero-day vulnerabilities, SonicWall said patching is imperative to prevent exploitation.
One of the vulnerabilities is a pre-authentication bug, and the other two are post-authentication flaws. A threat actor with intimate knowledge of the SonicWall application has been exploiting the vulnerabilities to gain access to enterprise networks. An attack was observed by Mandiant and was blocked before the attackers completed their mission. They had installed a backdoor and were moving laterally within the victim’s network when the attack was detected and blocked, so their ultimate objectives remain unknown.
The three vulnerabilities are:
- CVE-2021-20021 – Pre-auth vulnerability allowing an attacker to create an admin account via a specially crafted HTTP request to the remote host.
- CVE-2021-20022 – Post-auth vulnerability allowing an attacker to upload an arbitrary file to the remote host.
- CVE-2021-20023 – post-Auth vulnerability allowing an attacker to read arbitrary files from the remote host.
The vulnerabilities affect the following SonicWall Email Security solutions:
- Email Security (ES) 10.0.4-present
- Email Security 10.0.3
- Email Security 10.0.2
- Email Security 10.0.1
- Email Security 7.0.0 – 9.2.2
- Hosted Email Security (HES) 10.0.4-present
- Hosted Email Security 10.0.3
- Hosted Email Security 10.0.2
- Hosted Email Security 10.0.1
The flaws have been corrected in the following Email Security versions. All users of affected Email Security products should upgrade immediately.
- Email Security 10.0.9.6173 (Windows)
- Email Security 10.0.9.6177 (Hardware & ESXi Virtual Appliance)
- Hosted Email Security 10.0.9.6173 – Patches automatically applied on April 19, 2021
Email Security versions 7.0.0 – 9.2.2 have reached end-of-life and are no longer supported so patches are not being released to correct the flaws in these versions. However, if customers using these solutions have an active support license, they can download the latest SonicWall Email Security versions with the vulnerabilities corrected.