Multiple vulnerabilities in SonicWall On-premise Email Security (ES) and Hosted Email Security (HES)



Published: 2021-04-12 | Updated: 2021-04-21
Risk Critical
Patch available YES
Number of vulnerabilities 2
CVE ID CVE-2021-20021
CVE-2021-20022
CWE ID CWE-287
CWE-434
Exploitation vector Network
Public exploit Vulnerability #1 is being exploited in the wild.
Vulnerability #2 is being exploited in the wild.
Vulnerable software
Subscribe
SonicWall On-premise Email Security (ES)
Client/Desktop applications / Antivirus software/Personal firewalls

SonicWall Hosted Email Security (HES)
Client/Desktop applications / Antivirus software/Personal firewalls

Vendor

Security Advisory

Updated: 21.04.2021

Updated vulnerabilities description, related to in the wild exploitation of the vulnerabilities as well as information, disclosed by FireEye. Raised severity level of the bulletin from High to Critical.

1) Improper Authentication

Risk: Critical

CVSSv3.1: 9.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-20021

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in when processing authentication requests within the "/createou?data=", responsible for administration capabilities, specifically within the feature that allows application administrators to authorize an additional administrator account from a separate Microsoft Active Directory Organization Unit (AD OU). Requests to this form are not verified to require previous authentication to the appliance. A remote non-authenticated attacker can send a specially crafted XML document via HTTP GET or POST method, create a “role.ouadmin” account and authenticate to the application as an administrator.

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SonicWall On-premise Email Security (ES): before 10.0.9.6103, 10.0.9.6105

SonicWall Hosted Email Security (HES): before 10.0.9.6103

CPE External links

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0007
https://www.fireeye.com/blog/threat-research/2021/04/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

2) Arbitrary file upload

Risk: High

CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C] [PCI]

CVE-ID: CVE-2021-20022

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

Exploit availability: No

Description

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to insufficient validation of file during file upload within the branding feature. A remote administrator can upload a malicious ZIP archive to the system to an arbitrary location using directory traversal sequences in the filenames inside the uploaded archive and compromise the affected system.

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SonicWall On-premise Email Security (ES): before 10.0.9.6103, 10.0.9.6105

SonicWall Hosted Email Security (HES): before 10.0.9.6103

CPE External links

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0008
https://www.fireeye.com/blog/threat-research/2021/04/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.



###SIDEBAR###