22 Apr, 2021

Zeroday Discovered in SonicWall's Email Security Product

SonicWall has warned its users to update their in-house email security products that contain 3 actively exploited zeroday vulnerabilities.

The vulnerabilities of the SonicWall e-mail security provider product are as follows;

  • CVE-2021-20021 (CVSS score: 9.4): Email security pre-authentication can create administrator account. The vulnerability in SonicWall Email Security version 10.0.9.x allows an attacker to create an administrator account by sending a crafted HTTP request to the remote host.
  • CVE-2021-20022 (CVSS score: 6.7): Provides random file generation after email security authentication. SonicWall Email Security version 10.0.9.x contains a vulnerability that could allow an authenticated attacker to upload an arbitrary file to a remote host.
  • CVE-2021-20023 (CVSS score: 6.7) : Allows random file reading after email security authentication. SonicWall Email Security version 10.0.9.x contains a vulnerability that, after authentication, could allow an attacker to read an arbitrary file on the remote host.

 

The vulnerabilities we explained above were discovered by FireEye's Mandiant team. The Mandiant team announced on March 26, 2021 that it discovered it as a result of research done to one of their customers using a sample of SonicWall's Email Security (ES) application running on Windows Server 2021.

In March 2021, Mandiant Managed Defense identified three ZeroDay vulnerabilities that were exploited in an environment running in SonicWall's Email Security (ES) product. These vulnerabilities were exploited together to gain administrative access and code execution on a SonicWall ES device. We found that attackers exploit these vulnerabilities with in-depth knowledge of the SonicWall implementation to install a backdoor to access files and emails, traversing the victim organization's network.” is in the form.

For now, FireEye has not been able to definitively connect attackers to any previously known APT group, so the threat actor has been identified as UNC2682. UNC stands for "uncategorized". The company noted that the hackers appeared to have "intimate knowledge" of how the SonicWall product works.

 

AFFECTED VERSION Updated Version PSIRT
ADVISORY ID
CVE Lists
Email Security (ES)
10.0.4-PresentEmail Security 10.0.3Email Security 10.0.2Email Security 10.0.1
Email Security
10.0.9.6173
(Windows)
SNWLID-2021-0007SNWLID-2021-0008SNWLID-2021-0010 CVE-2021-20021CVE-2021-20022CVE-2021-20023
Email Security (ES)
10.0.4-PresentEmail Security 10.0.3Email Security 10.0.2Email Security 10.0.1
Email Security
10.0.9.6177
(Hardware & ESXi Virtual Appliance)
SNWLID-2021-0007SNWLID-2021-0008SNWLID-2021-0010 CVE-2021-20021CVE-2021-20022CVE-2021-20023
Hosted Email Security (HES)
10.0.4-PresentHosted Email Security
10.0.3Hosted Email Security
10.0.2Hosted Email Security
10.0.1
Hosted Email Security
10.0.9.6173
(Patched Automatically)
SNWLID-2021-0007SNWLID-2021-0008SNWLID-2021-0010 CVE-2021-20021CVE-2021-20022CVE-2021-20023

 

Source:
SonicWall


To request a quotation for the following: Cyber Security, Digital Transformation, MSSP, Penetration Testing, KVKK, GDPR, ISO 27001 and ISO 27701, please click here.

About Content:
Share on Social Media:
Facebook
Twitter
LinkedIn
Telegram