Path traversal in SonicWall Email Security



Published: 2021-04-20 | Updated: 2021-04-21
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2021-20023
CWE-ID CWE-22
Exploitation vector Network
Public exploit This vulnerability is being exploited in the wild.
Vulnerable software
Subscribe
SonicWall On-premise Email Security (ES)
Client/Desktop applications / Antivirus software/Personal firewalls

SonicWall Hosted Email Security (HES)
Client/Desktop applications / Antivirus software/Personal firewalls

Vendor

Security Bulletin

This security bulletin contains information about 1 vulnerabilities.

Updated: 21.04.2021

Updated vulnerability description, related to in the wild exploitation as well as information, disclosed by FireEye. Raised severity level of the bulletin from Medium to High.

1) Path traversal

EUVDB-ID: #VU52377

Risk: High

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N/E:H/RL:O/RC:C]

CVE-ID: CVE-2021-20023

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote user to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences within the "branding"  feature. A remote authenticated user can send a specially crafted HTTP request and read arbitrary files on the system with NT AUTHORITY\SYSTEM account.

Request example:

https://<SonicWall ES host>/dload_apps?action=<any value>&path=..%2F..%2F..%2F..%2F..%2Fwindows%2Fsystem32%2Fcalc.exe&id=update

Note, the vulnerability is being actively exploited in the wild.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SonicWall On-premise Email Security (ES): before 10.0.9.6173

SonicWall Hosted Email Security (HES): before 10.0.9.6177

External links

http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0010
http://www.fireeye.com/blog/threat-research/2021/04/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.



###SIDEBAR###