SB2021041210 - Multiple vulnerabilities in SonicWall On-premise Email Security (ES) and Hosted Email Security (HES)

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Improper Authentication (CVE-ID: CVE-2021-20021)

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in when processing authentication requests within the "/createou?data=", responsible for administration capabilities, specifically within the feature that allows application administrators to authorize an additional administrator account from a separate Microsoft Active Directory Organization Unit (AD OU). Requests to this form are not verified to require previous authentication to the appliance. A remote non-authenticated attacker can send a specially crafted XML document via HTTP GET or POST method, create a “role.ouadmin” account and authenticate to the application as an administrator.

Note, the vulnerability is being actively exploited in the wild.

2) Arbitrary file upload (CVE-ID: CVE-2021-20022)

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to insufficient validation of file during file upload within the branding feature. A remote administrator can upload a malicious ZIP archive to the system to an arbitrary location using directory traversal sequences in the filenames inside the uploaded archive and compromise the affected system.

Note, the vulnerability is being actively exploited in the wild.

Remediation

Install update from vendor's website.

References

• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0007
• https://www.fireeye.com/blog/threat-research/2021/04/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise.html
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0008