SonicWall has warned its users to update their in-house email security products that contain 3 actively exploited zeroday vulnerabilities.
The vulnerabilities of the SonicWall e-mail security provider product are as follows;
- CVE-2021-20021 (CVSS score: 9.4): Email security pre-authentication can create administrator account. The vulnerability in SonicWall Email Security version 10.0.9.x allows an attacker to create an administrator account by sending a crafted HTTP request to the remote host.
- CVE-2021-20022 (CVSS score: 6.7): Provides random file generation after email security authentication. SonicWall Email Security version 10.0.9.x contains a vulnerability that could allow an authenticated attacker to upload an arbitrary file to a remote host.
- CVE-2021-20023 (CVSS score: 6.7) : Allows random file reading after email security authentication. SonicWall Email Security version 10.0.9.x contains a vulnerability that, after authentication, could allow an attacker to read an arbitrary file on the remote host.
The vulnerabilities we explained above were discovered by FireEye's Mandiant team. The Mandiant team announced on March 26, 2021 that it discovered it as a result of research done to one of their customers using a sample of SonicWall's Email Security (ES) application running on Windows Server 2021.
In March 2021, Mandiant Managed Defense identified three ZeroDay vulnerabilities that were exploited in an environment running in SonicWall's Email Security (ES) product. These vulnerabilities were exploited together to gain administrative access and code execution on a SonicWall ES device. We found that attackers exploit these vulnerabilities with in-depth knowledge of the SonicWall implementation to install a backdoor to access files and emails, traversing the victim organization's network.” is in the form.
For now, FireEye has not been able to definitively connect attackers to any previously known APT group, so the threat actor has been identified as UNC2682. UNC stands for "uncategorized". The company noted that the hackers appeared to have "intimate knowledge" of how the SonicWall product works.
| AFFECTED VERSION | Updated Version | PSIRT ADVISORY ID |
CVE Lists |
| Email Security (ES) 10.0.4-PresentEmail Security 10.0.3Email Security 10.0.2Email Security 10.0.1 |
Email Security 10.0.9.6173 (Windows) |
SNWLID-2021-0007SNWLID-2021-0008SNWLID-2021-0010 | CVE-2021-20021CVE-2021-20022CVE-2021-20023 |
| Email Security (ES) 10.0.4-PresentEmail Security 10.0.3Email Security 10.0.2Email Security 10.0.1 |
Email Security 10.0.9.6177 (Hardware & ESXi Virtual Appliance) |
SNWLID-2021-0007SNWLID-2021-0008SNWLID-2021-0010 | CVE-2021-20021CVE-2021-20022CVE-2021-20023 |
| Hosted Email Security (HES) 10.0.4-PresentHosted Email Security 10.0.3Hosted Email Security 10.0.2Hosted Email Security 10.0.1 |
Hosted Email Security 10.0.9.6173 (Patched Automatically) |
SNWLID-2021-0007SNWLID-2021-0008SNWLID-2021-0010 | CVE-2021-20021CVE-2021-20022CVE-2021-20023 |
Source:
SonicWall
