Zero-Day Vulnerabilities in SonicWall Email Security

Published on 21 Apr 2021

Updated on 21 Apr 2021

SonicWall has released security updates for their Email Security (ES) product to patch three zero-day vulnerabilities. There have been reports of active exploitation of these vulnerabilities.

The vulnerabilities are:
  • CVE-2021-20021 — A pre-authentication administrative account creation vulnerability that allows an attacker to potentially create an administrative account by sending a crafted HTTP request to the remote host
  • CVE-2021-20022 and CVE-2021-20023 — A post-authentication arbitrary file creation or read vulnerability that allows a post-authenticated attacker to potentially upload or read an arbitrary file on the remote host

These vulnerabilities have been fixed in ES versions 10.0.1, 10.0.2, 10.0.3 and 10.0.4-Present.
 
Administrators are advised to upgrade their ES appliances or software installation to the latest versions (10.0.9.6177 or 10.0.9.6173) immediately.
 
Organisations using legacy ES versions 7.0.0 - 9.2.2 with an active support license are strongly advised to upgrade to the latest ES version.
 
More information is available here:
https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/
https://www.fireeye.com/blog/threat-research/2021/04/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise.html