Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Security Notice: SonicWall Email Security Zero-Day Vulnerabilities

MicahMicah SonicWall Employee

UPDATED: 4/20/2021

Through the course of standard collaboration and testing, SonicWall has verified, tested and published patches to mitigate three zero-day vulnerabilities to its hosted and on-premises email security products.

In at least one known case, these vulnerabilities have been observed to be exploited ‘in the wild.’ It is imperative that organizations using SonicWall Email Security hardware appliances, virtual appliances or software installation on Microsoft Windows Server immediately upgrade to the respective SonicWall Email Security version listed below.

  • Email Security 10.0.9.6173 (Windows)
  • Email Security 10.0.9.6177 (Appliance)
  • Hosted Email Security 10.0.9.6173 (Patched automatically; no action required)

SonicWall Hosted Email Security (HES) was patched on April 19, 2021, and no action is required from organizations that are only using the hosted email security product.

Step-by-step guidance on how to apply the updates is available on an in-depth knowledgebase (KB) article.

PSIRT Advisory IDs

Support for End-of-Life Email Security Products

SonicWall Email Security versions 7.0.0-9.2.2 are also impacted by the above vulnerabilities. However, these legacy versions have reached end of life (EOL) and are no longer supported. Organizations using these legacy product versions and have an active support license can download the latest Email Security versions from their MySonicWall account.

Customers without an active support license should contact their SonicWall SecureFirst partner to renew the license and upgrade to the latest SonicWall Email Security version. To find your local partner, please visit the SonicWall Partner Locator.

IPS Signatures Detect Exploitation

SonicWall has automatically deployed Intrusion Prevention System (IPS) signatures to help detect and block attacks that attempt to leverage the above vulnerabilities. The below signatures have already been applied to SonicWall firewalls with active security subscriptions.

  • IPS Signature: 15520 WEB-ATTACKS SonicWall Email Security (CVE-2021-20022 Vulnerability)
  • IPS Signature: 1067 WEB-ATTACKS Web Application Directory Traversal Attack 7
  • IPS Signature: 15509 WEB-ATTACKS Web Application Directory Traversal Attack 7 -c2

About the CVEs

  • CVE-2021-20021: Email Security Pre-Authentication Administrative Account Creation: A vulnerability in the SonicWall Email Security versions listed above could allow an attacker to potentially create an administrative account by sending a crafted HTTP request to the remote host.
  • CVE-2021-20022: Email Security Post-Authentication Arbitrary File Creation: A vulnerability in the SonicWall Email Security versions listed above could allow a post-authenticated attacker to potentially upload an arbitrary file to the remote host.
  • CVE-2021-20023: Email Security Post-Authentication Arbitrary File Read: A vulnerability in the SonicWall Email Security versions listed above could allow a post-authenticated attacker to potentially read an arbitrary file from the remote host.

For additional details on threat actor behavior, please review Mandiant's blog.

Category: Email Security Appliances
Reply

@micah - SonicWall's Self-Service Sr. Manager

Comments

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    @Micah I'm still on 10.0.6. Do I have to apply every update in between or can I go straight to this latest one? The upgrade path KB article isn't clear.

  • David WDavid W SonicWall Employee

    You can go right to the 10.0.9.

    However please keep in mind the ES 10.0.9 hotfix release specifically resolves the 2 critical vulnerabilities.

    Any other product issues are being addressed in the subsequent email security releases.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    Thanks @David W, I got my systems updated and everything seems to be ok.

  • LarryPueblaLarryPuebla Newbie ✭

    Hello All, is there a way to identify if the appliance has been breached, admin account created?

  • Craig_SCraig_S Newbie ✭

    What are the Indicators of Compromise for the appliance? I see on the FireEye blog the ioc's for the ES running on Windows server, but it doesn't translate well to the ES5000 running Linux. I'm concerned because the appliance locked up a week prior to this announcement. I did look through the local user accounts, and there wasn't any unaccounted for users.

    Is there anything I can look for in the System/Log files?

  • David WDavid W SonicWall Employee

    @Craig_S An applaince can lockup or be unresponsive for many reasons.

    That does not constitute that is was compromised.

    If there are not any manually added admin accounts then it is unlikely you have this issue.

    I would suggest opening a support case and working with a tech to look into it further.

    It's more likely you have a message specific issue where a message is looping in the SMTP proxy.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

  • David WDavid W SonicWall Employee

    @LarryPuebla You can look in the UI and see if there are any new Admin accounts you do not recognize.

    These would be listed in the Users area.

    David Wilbur

     Technical Support Senior Advisor, Premier Services , SME Email Security

Sign In or Register to comment.