SonicWall is urging customers to apply patches to resolve three zero-day vulnerabilities in its email security solution which are being actively exploited in the wild.
The company stated in a security alert that the fixes have been published to resolve three critical issues impacting “hosted and on-premises email security products.”
SonicWall ES is a solution designed to protect email traffic and communication, such as by preventing phishing emails and business email compromise (BEC) attempts.
At least one known case of active exploitation in the appliance has been recorded.
SonicWall stated that organizations using SonicWall Email Security (ES) hardware appliances, virtual appliances or software installation on Microsoft Windows Server must immediately upgrade to the respective SonicWall Email Security version listed.
The vulnerabilities are tracked as CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023 that affects SonicWall ES/Hosted Email Security (HES) versions 10.0.1 and above.
CVE-2021-20021: CVSS 9.4, “Unauthorized administrative account creation”: Crafted HTTP requests sent to a remote host can allow the unauthorized creation of administrator accounts due to an improperly secured API endpoint.
CVE-2021-20022: CVSS 6.7, “Post-authentication arbitrary file upload”: Post-authenticated attackers can upload arbitrary files to a remote host prompted by an issue in “branding” functionality.
CVE-2021-20023: CVSS 6.7, “Post-authentication arbitrary file read”: Attackers can also read arbitrary files on a remote host, also caused by the “branding” feature.
The vulnerabilities were discovered by the FireEye’s Mandiant team and they disclosed the bugs to the SonicWall Product Security Incident Response Team (PSIRT) through an investigation of post-exploitation web shell activity on a client’s system that pointed to SonicWall ES as the original source of compromise.
The Mandiant researchers Josh Fleischer, Chris DiGiamo, and Alex Pennino stated that the vulnerabilities have been exploited in an attack chain to obtain administrative access and to execute code on vulnerable ES products, including the installation of a backdoor, file exposure, and to achieve lateral network movement.
The explicit case shows “intimate knowledge of the SonicWall application.”
The bugs CVE-2021-20021 and CVE-2021-20022 were reported on March 26 which was acknowledged on March 21, and a hotfix was applied on April 9. The vulnerability, CVE-2021-20023 was reported on April 7, and the patch was made available on April 19.
SonicWall requests all the customers to update their Email Security builds to version 10.0.9.6173 (Windows) or 10.0.9.6177 (Hardware/ESXi Virtual Appliance), which contain hotfixes for the vulnerabilities.
The clients who have signed up for SonicWall Hosted Email Security (HES) products does not have to take further action as patches have been automatically applied in version 10.0.9.6173.
But the critical vulnerabilities also impact SonicWall ES versions 7.0.0-9.2.2, which are end-of-life, legacy products not entitled to security updates. For users of these versions, SonicWall also urges an immediate upgrade.