SonicWall Email Security zero-days need urgent patch

Users of SonicWall Email Security are being urged to patch a series of three critical zero-days that were first identified almost a fortnight ago, but are likely to have been exploited in the wild since March and are only now beginning to be publicised, leading to questions for the firm.

The three vulnerabilities have been assigned CVE-2021-20021, CVE-2021-20022 and CVE-2021-20023 and exist in various versions of SonicWall’s Email Security product as listed by the supplier in its advisory. The vulnerabilities also exist in some versions of the product that have been end-of-lifed and are no longer receiving support – for legacy users, SonicWall is urging a full upgrade.

CVE-2021-20021 is a pre-authentication admin account creation vulnerability that could enable a malicious actor to create an admin account by sending a specially crafted HTTP request to the remote host.

CVE-2021-20022 is a post-authentication arbitrary file creation vulnerability whereby a post-authenticated attacker could upload an arbitrary file to the remote host.

CVE-2021-20023 is a post-authentication arbitrary file read vulnerability whereby an attacker could read an arbitrary file from the remote host.

SonicWall said: “Through the course of standard collaboration and testing, SonicWall has verified, tested and published patches to mitigate three zero-day vulnerabilities to its hosted and on-premise email security products.

“In at least one known case, these vulnerabilities have been observed to be exploited ‘in the wild’. It is imperative that organisations using SonicWall Email Security hardware appliances, virtual appliances or software installation on Microsoft Windows Server immediately upgrade.” 

The three vulnerabilities were first discovered by FireEye Mandiant researchers during an incident response engagement. In this incident, the vulnerabilities were chained to obtain admin rights and code execution capabilities on an on-premise SonicWall Email Security device. Mandiant said the attacker had “intimate” knowledge of the SonicWall product which they exploited to install a backdoor, access their victim’s files and emails, and move laterally into their network.

Meanwhile, SonicWall is facing criticism over the speed and urgency of its response after waiting a week after quietly releasing patches beginning on 9 April to inform users that the zero-days were being actively exploited, information that many security professionals would consider somewhat urgent when it comes to patching strategies.

According to SonicWall’s boilerplate, the Email Security product “provides comprehensive inbound and outbound protection, and defends against advanced email-borne threats such as ransomware, zero-day threats, spear phishing and business email compromise (BEC)”, so its compromise is a definite source of concern.

In a further statement, SonicWall told Computer Weekly: “SonicWall designed, tested and published patches to correct the issues and communicated these mitigations to customers and partners. SonicWall strongly encourages customers, as well as organisations worldwide, to maintain diligence in patch management to strengthen the community’s collective security posture.”

This is the second time in 2021 that SonicWall has had zero-days discovered in its products. In January, Computer Weekly’s sister site SearchSecurity reported on probable zero-days in its Secure Mobile Access 100 product that were confirmed as such after a fortnight-long probe.