Vulnerability identifier: #VU52038
Vulnerability risk: Critical
CVSSv3.1: 9.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-287
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
SonicWall On-premise Email Security (ES)
Client/Desktop applications /
Antivirus software/Personal firewalls
SonicWall Hosted Email Security (HES)
Client/Desktop applications /
Antivirus software/Personal firewalls
Vendor:
Description
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in when processing authentication requests within the "/createou?data=", responsible for administration capabilities, specifically within the feature that allows application administrators to authorize an additional administrator account from a separate Microsoft Active Directory Organization Unit (AD OU). Requests to this form are not verified to require previous authentication to the appliance. A remote non-authenticated attacker can send a specially crafted XML document via HTTP GET or POST method, create a “role.ouadmin” account and authenticate to the application as an administrator.
Note, the vulnerability is being actively exploited in the wild.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
External links
http://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0007
http://www.fireeye.com/blog/threat-research/2021/04/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise.html
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.