Multiple vulnerabilities in SonicWall On-premise Email Security (ES) and Hosted Email Security (HES)
| Risk | Critical |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2021-20021 CVE-2021-20022 |
| CWE-ID | CWE-287 CWE-434 |
| Exploitation vector | Network |
| Public exploit |
Vulnerability #1 is being exploited in the wild. Vulnerability #2 is being exploited in the wild. |
| Vulnerable software |
SonicWall On-premise Email Security (ES) Client/Desktop applications / Antivirus software/Personal firewalls SonicWall Hosted Email Security (HES) Client/Desktop applications / Antivirus software/Personal firewalls |
| Vendor | SonicWall |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
Updated: 21.04.2021
Updated vulnerabilities description, related to in the wild exploitation of the vulnerabilities as well as information, disclosed by FireEye. Raised severity level of the bulletin from High to Critical.
1) Improper Authentication
EUVDB-ID: #VU52038
Risk: Critical
CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]
CVE-ID: CVE-2021-20021
CWE-ID:
CWE-287 - Improper Authentication
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in when processing authentication requests within the "/createou?data=", responsible for administration capabilities, specifically within the feature that allows application administrators to authorize an additional administrator account from a separate Microsoft Active Directory Organization Unit (AD OU). Requests to this form are not verified to require previous authentication to the appliance. A remote non-authenticated attacker can send a specially crafted XML document via HTTP GET or POST method, create a “role.ouadmin” account and authenticate to the application as an administrator.
Note, the vulnerability is being actively exploited in the wild.
Install updates from vendor's website.
Vulnerable software versionsSonicWall On-premise Email Security (ES): before 10.0.9.6103
SonicWall Hosted Email Security (HES): before 10.0.9.6103
CPE2.3- cpe:2.3:a:sonicwall:sonicwall_on-premise_email_security_es:*:*:*:*:*:*:*:*
- cpe:2.3:a:sonicwall:sonicwall_hosted_email_security_hes:*:*:*:*:*:*:*:*
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0007
https://www.fireeye.com/blog/threat-research/2021/04/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
2) Arbitrary file upload
EUVDB-ID: #VU52039
Risk: High
CVSSv4.0: 8.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]
CVE-ID: CVE-2021-20022
CWE-ID:
CWE-434 - Unrestricted Upload of File with Dangerous Type
Exploit availability: No
DescriptionThe vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to insufficient validation of file during file upload within the branding feature. A remote administrator can upload a malicious ZIP archive to the system to an arbitrary location using directory traversal sequences in the filenames inside the uploaded archive and compromise the affected system.
Note, the vulnerability is being actively exploited in the wild.
Install updates from vendor's website.
Vulnerable software versionsSonicWall On-premise Email Security (ES): before 10.0.9.6103
SonicWall Hosted Email Security (HES): before 10.0.9.6103
CPE2.3- cpe:2.3:a:sonicwall:sonicwall_on-premise_email_security_es:*:*:*:*:*:*:*:*
- cpe:2.3:a:sonicwall:sonicwall_hosted_email_security_hes:*:*:*:*:*:*:*:*
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0008
https://www.fireeye.com/blog/threat-research/2021/04/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
