NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge

Just in Time Bulletin: Zero-Day Flaws in SonicWall Email Security Product Exploited in Attacks

Sep 02, 2021

Three zero-day vulnerabilities – CVE-2021-20021, CVE-2021-20022 and CVE-2021-20023 – identified in SonicWall’s Email Security (ES) product were being exploited in the wild. These vulnerabilities were executed in conjunction to obtain administrative access and code execution on a SonicWall ES device. The adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor, access files and emails, and move laterally into the victim organization’s network.

What are CVE-2021-20021, CVE-2021-20022 and CVE-2021-20023? 

CVE-2021-20021 is a critical issue that allows a remote, unauthenticated attacker to create admin accounts by sending specially crafted HTTP requests to the targeted system.

The other vulnerabilities, identified as CVE-2021-20022 and CVE-2021-20023, can be exploited by authenticated attackers to upload arbitrary files and read arbitrary files from the host, respectively. These bugs have been assigned a medium severity rating based on their CVSS score, but they can be very dangerous when chained with CVE-2021-20021.

How bad is this? 

CVE CVSSv3 Score
CVE-2021-20021 9.8
CVE-2021-20022  7.2
CVE-2021-20023 TBD

Active exploitation today: Exploited in the wild

Severity: Critical

  • credentials not required
  • authentication bypass
  • remote command execution

Who is affected by this? 

All 3 vulnerabilities – CVE-2021-20021, CVE-2021-20022 and CVE-2021-20023 –  affect any SonicWall On-premise Email Security (ES) 10.0.9 and earlier versions, Hosted Email Security (HES) 10.0.9 and earlier versions.

How are they exploited? 

Please review the Fireeye Threat Research and see SonicWall Security Advisory for more information.

How do I protect myself? 

To mitigate the three CVEs, Mandiant and SonicWall recommend upgrading Email Security to version 10.0.9.6173 (Windows) or 10.0.9.6177 (Hardware & ESXi Virtual Appliances). Organizations using SonicWall Hosted Email Security (HES) products were automatically updated and no action is required for those customers.

Additional Resources: