SonicWall Email Security Products Target of Zero-Day Exploits
Security researchers FireEye have identified three zero-day vulnerabilities in SonicWall Email Security (ES) products. These vulnerabilities can be chained together to gain administrative access to enterprise networks and achieve code execution, and are reportedly being exploited in the wild.
What’s the nature of the vulnerabilities?
Identified by FireEye researchers in March 2021, the three vulnerabilites have been observed as exploited in the wild.
The most serious vulnerability is a pre-authentication flaw with a severity score of 9.8 out of 10.
The other two vulnerabilities have CVSS scores of 7.2 and 6.7.
The vulnerabilities are being tracked as:
- CVE-2021-20021 – Pre-authentication vulnerability allowing remote attackers to create administrative accounts by sending specially crafted HTTP requests to a remote host (CVSS 9.8). Allows attacker to create an account with administrator privileges through an XML document.
- CVE-2021-20022 – Post-authentication vulnerability, presumably used in conjunction with the first. It would allow an attacker to upload a file to the device (CVSS 7.2).
- CVE-2021-20023 – Gives the ability to access any file stored on the remote host. (CVSS 6.7)
FireEye researchers did not attribute the observed attacks to any threat group; however, they tracked activity as UNC2682.
- SonicWall On-premise Email Security (ES) version 10.0.9 and earlier
- Hosted Email Security (HES) version 10.0.9 and earlier
What’s the risk?
Threat actors could exploit these vulnerabilities to gain administrative access and code execution on a SonicWall ES device, allowing installation of a backdoor, file & email access, and lateral movement in the victim organization’s network.
It is unclear how many victims have been impacted by these vulnerabilities.
How can I fix it?
A hotfix is available from SonicWall:
- Hosted Email Security (HES) automatically upgraded to Hotfix 10.0.9.6103, no action required by the HES users.
- On-premise Email Security Windows users should upgrade to 10.0.9.6103 and Appliance users should upgrade to 10.0.9.6105. Hotfix is available for download on mysonicwall.com.
SonicWall has provided a step-by-step guide for applying security upgrades.