Vulnerabilities in SonicWall Email Security

Published : 21/04/2021

Reference:
Advisory #2021-008

Version:
1.0

Affected software:
SonicWall Email Security versions 10.0.1, 10.0.2 and 10.0.03 including the prior versions 7.0.0-9.2.2.

Type:
Remote code execution

CVE/CVSS:
CVE-2021-20021 - 9.4 (CVSS 3.0)CVE-2021-20022- 6.7 (CVSS 3.0)CVE-2021-20023- 6.7 (CVSS 3.0)

Sources

https://www.sonicwall.com/support/knowledge-base/how-do-i-upgrade-firmware-on-an-email-security-appliance/170504270079039/

Risks

A threat actor successfully leveraging these vulnerabilities could install a backdoor, access files and emails and move laterally into the victim organization’s network.

Description

Security hardware manufacturer SonicWall has issued an urgent security notice about threat actors exploiting a zero-day vulnerability in their VPN products to perform attacks on their internal systems.

CVE-2021-20021: Email security pre-authentication administrative account creation vulnerability that allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host. This can lead to full compromise of the target system (this is the most severe of the three vulnerabilities).

CVE-2021-20022: Email security post-authentication arbitrary file creation vulnerability that allows a post-authenticated attacker to upload an arbitrary file to the remote host.

CVE-2021-20023: Email security post-authentication arbitrary file creation vulnerability that allows a post-authenticated attacker to upload an arbitrary file to the remote host.

Recommended Actions

CERT.be recommends to all System administrators to upgrade their vulnerable SonicWall's hosted email security instances to the adequate patched versions.

Do note that SonicWall Hosted Email Security (HES) is normally automatically patched on monday. It is therefore possible that you already have the fixed version installed.

AFFECTED VERSION	PATCHED VERSION	PSIRT ADVISORY
Email Security (ES) 10.0.4-Present Email Security 10.0.3 Email Security 10.0.2 Email Security 10.0.1	Email Security 10.0.9.6173 (Windows)	SNWLID-2021-0007 SNWLID-2021-0008 SNWLID-2021-0010
Email Security (ES) 10.0.4-Present Email Security 10.0.3 Email Security 10.0.2 Email Security 10.0.1	Email Security 10.0.9.6177 (Hardware & ESXi Virtual Appliance)	SNWLID-2021-0007 SNWLID-2021-0008 SNWLID-2021-0010
Hosted Email Security (HES) 10.0.4-Present Hosted Email Security 10.0.3 Hosted Email Security 10.0.2 Hosted Email Security 10.0.1	Hosted Email Security 10.0.9.6173 (Patched Automatically)	SNWLID-2021-0007 SNWLID-2021-0008 SNWLID-2021-0010

References

https://www.fireeye.com/blog/threat-research/2021/04/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise.html

https://www.bleepingcomputer.com/news/security/sonicwall-firewall-maker-hacked-using-zero-day-in-its-vpn-device/

https://www.bleepingcomputer.com/news/security/sonicwall-fixes-actively-exploited-sma-100-zero-day-vulnerability/