#VU52038 Improper Authentication in SonicWall On-premise Email Security (ES) and SonicWall Hosted Email Security (HES)


Published: 2021-04-12 | Updated: 2021-04-21

Vulnerability identifier: #VU52038

Vulnerability risk: Critical

CVSSv3.1: 9.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2021-20021

CWE-ID: CWE-287

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SonicWall On-premise Email Security (ES)
Client/Desktop applications / Antivirus software/Personal firewalls
SonicWall Hosted Email Security (HES)
Client/Desktop applications / Antivirus software/Personal firewalls

Vendor:

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in when processing authentication requests within the "/createou?data=", responsible for administration capabilities, specifically within the feature that allows application administrators to authorize an additional administrator account from a separate Microsoft Active Directory Organization Unit (AD OU). Requests to this form are not verified to require previous authentication to the appliance. A remote non-authenticated attacker can send a specially crafted XML document via HTTP GET or POST method, create a “role.ouadmin” account and authenticate to the application as an administrator.

Note, the vulnerability is being actively exploited in the wild.

Mitigation
Install updates from vendor's website.

Vulnerable software versions


External links
http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0007
http://www.fireeye.com/blog/threat-research/2021/04/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.


Latest bulletins with this vulnerability