Just in Time Bulletin: Zero-Day Flaws in SonicWall Email Security Product Exploited in Attacks
Three zero-day vulnerabilities – CVE-2021-20021, CVE-2021-20022 and CVE-2021-20023 – identified in SonicWall’s Email Security (ES) product were being exploited in the wild. These vulnerabilities were executed in conjunction to obtain administrative access and code execution on a SonicWall ES device. The adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor, access files and emails, and move laterally into the victim organization’s network.
What are CVE-2021-20021, CVE-2021-20022 and CVE-2021-20023?
CVE-2021-20021 is a critical issue that allows a remote, unauthenticated attacker to create admin accounts by sending specially crafted HTTP requests to the targeted system.
The other vulnerabilities, identified as CVE-2021-20022 and CVE-2021-20023, can be exploited by authenticated attackers to upload arbitrary files and read arbitrary files from the host, respectively. These bugs have been assigned a medium severity rating based on their CVSS score, but they can be very dangerous when chained with CVE-2021-20021.
How bad is this?
Active exploitation today: Exploited in the wild
- credentials not required
- authentication bypass
- remote command execution
Who is affected by this?
All 3 vulnerabilities – CVE-2021-20021, CVE-2021-20022 and CVE-2021-20023 – affect any SonicWall On-premise Email Security (ES) 10.0.9 and earlier versions, Hosted Email Security (HES) 10.0.9 and earlier versions.
How are they exploited?
How do I protect myself?
To mitigate the three CVEs, Mandiant and SonicWall recommend upgrading Email Security to version 10.0.9.6173 (Windows) or 10.0.9.6177 (Hardware & ESXi Virtual Appliances). Organizations using SonicWall Hosted Email Security (HES) products were automatically updated and no action is required for those customers.