Zero-day vulnerabilities in SonicWall email security are being actively exploited

The vendor is urging customers to apply patches immediately.

SonicWall is urging customers to apply patches to resolve three zero-day vulnerabilities in its email security solution that are being actively exploited in the wild. 

In a security alert on Tuesday, the US company said fixes have been published to resolve three critical issues impacting "hosted and on-premises email security products."

SonicWall ES is a solution designed to protect email traffic and communication, such as by preventing phishing emails and business email compromise (BEC) attempts. 

There is at least one known case of active exploitation in the appliance that has been recorded. 

"It is imperative that organizations using SonicWall Email Security (ES) hardware appliances, virtual appliances or software installation on Microsoft Windows Server immediately upgrade to the respective SonicWall Email Security version listed," SonicWall says. 

The vulnerabilities are tracked as CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023, impacting SonicWall ES/Hosted Email Security (HES) versions 10.0.1 and above.

  • CVE-2021-20021: CVSS 9.4, "Unauthorized administrative account creation": Crafted HTTP requests sent to a remote host can allow the unauthorized creation of administrator accounts due to an improperly secured API endpoint.
  • CVE-2021-20022: CVSS 6.7, "Post-authentication arbitrary file upload": Post-authenticated attackers can upload arbitrary files to a remote host prompted by an issue in "branding" functionality.
  • CVE-2021-20023: CVSS 6.7, "Post-authentication arbitrary file read": Attackers can also read arbitrary files on a remote host, also caused by the "branding" feature. 

FireEye's Mandiant team discovered and disclosed the bugs to the SonicWall Product Security Incident Response Team (PSIRT) through an investigation of post-exploitation web shell activity on a client's system that pointed to SonicWall ES as the original source of compromise.  

According to Mandiant researchers Josh Fleischer, Chris DiGiamo, and Alex Pennino, the vulnerabilities have been exploited in an attack chain to obtain administrative access and to execute code on vulnerable ES products, including the installation of a backdoor, file exposure, and to achieve lateral network movement. 

The team added that the explicit case shows "intimate knowledge of the SonicWall application."

CVE-2021-20021 and CVE-2021-20022 were reported privately on March 26, acknowledged on March 21, and a hotfix was applied on April 9. CVE-2021-20023 was reported on April 7, leading to a patch becoming available on April 19. 

SonicWall is urging customers to update their Email Security builds to version 10.0.9.6173 (Windows) or 10.0.9.6177 (Hardware/ESXi Virtual Appliance), which contain hotfixes for the vulnerabilities. 

Clients signed up for SonicWall Hosted Email Security (HES) products do not need to take further action as patches have been automatically applied in version 10.0.9.6173. 

However, the vendor says the critical vulnerabilities also impact SonicWall ES versions 7.0.0-9.2.2, which are end-of-life, legacy products not entitled to security updates. For users of these versions, SonicWall also urges an immediate upgrade. 

SonicWall has provided a step-by-step guide for applying security upgrades. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0