Three zero-day vulnerabilities – CVE-2021-20021, CVE-2021-20022 and CVE-2021-20023 – identified in SonicWall’s Email Security (ES) product were being exploited in the wild. These vulnerabilities were executed in conjunction to obtain administrative access and code execution on a SonicWall ES device. The adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor, access files and emails, and move laterally into the victim organization’s network.
What are CVE-2021-20021, CVE-2021-20022 and CVE-2021-20023?
CVE-2021-20021 is a critical issue that allows a remote, unauthenticated attacker to create admin accounts by sending specially crafted HTTP requests to the targeted system.
The other vulnerabilities, identified as CVE-2021-20022 and CVE-2021-20023, can be exploited by authenticated attackers to upload arbitrary files and read arbitrary files from the host, respectively. These bugs have been assigned a medium severity rating based on their CVSS score, but they can be very dangerous when chained with CVE-2021-20021.
How bad is this?
Active exploitation today: Exploited in the wild
- credentials not required
- authentication bypass
- remote command execution
Who is affected by this?
All 3 vulnerabilities – CVE-2021-20021, CVE-2021-20022 and CVE-2021-20023 – affect any SonicWall On-premise Email Security (ES) 10.0.9 and earlier versions, Hosted Email Security (HES) 10.0.9 and earlier versions.
How are they exploited?
Please review the Fireeye Threat Research and see SonicWall Security Advisory for more information.
How do I protect myself?
To mitigate the three CVEs, Mandiant and SonicWall recommend upgrading Email Security to version 10.0.9.6173 (Windows) or 10.0.9.6177 (Hardware & ESXi Virtual Appliances). Organizations using SonicWall Hosted Email Security (HES) products were automatically updated and no action is required for those customers.