SonicWall warns customers to patch 3 zero-days exploited in the wild

Security hardware manufacturer SonicWall is urging customers to patch a set of three zero-day vulnerabilities affecting both its on-premises and hosted Email Security products.

“In at least one known case, these vulnerabilities have been observed to be exploited ‘in the wild,'” SonicWall said in a security advisory published earlier today.

The company said it’s “imperative” that organizations using its Email Security hardware appliances, virtual appliances, or software installations on Microsoft Windows Server machines immediately upgrade to a patched version.

The three zero-days were reported by Mandiant’s Josh Fleischer and Chris DiGiamo, and they are tracked as:

• CVE-2021-20021: Email Security Pre-Authentication Administrative Account Creation vulnerability that allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host (security updates released on April 9th)
• CVE-2021-20022: Email Security Post-Authentication Arbitrary File Creation vulnerability that allows a post-authenticated attacker to upload an arbitrary file to the remote host  (security updates released on April 9th)
• CVE-2021-20023: Email Security Post-Authentication Arbitrary File Read vulnerability that enables a post-authenticated attacker to read an arbitrary file from the remote host  (security updates released on April 19th)

“The adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor, access files and emails, and move laterally into the victim organization’s network,” FireEye said.

“Mandiant currently tracks this activity as UNC2682. Ultimately, Mandiant prevented UNC2682 from completing their mission so their objectives of the attack currently remain unknown.”

The full list of SonicWall products affected by the three zero-days is available in the table below, together with information on the patched versions and links to security advisories. 

SonicWall Hosted Email Security (HES) was automatically patched on Monday, April 19th, and no action is needed from customers only using SonicWall’s hosted email security product. 

Step-by-step guidance on how to apply the security updates is available in this knowledgebase article. 

“SonicWall Email Security versions 7.0.0-9.2.2 are also impacted by the above vulnerabilities,” the company added.

“However, these legacy versions have reached end of life (EOL) and are no longer supported. Organizations using these legacy product versions and have an active support license can download the latest Email Security versions from their MySonicWall account.”

SonicWall disclosed in January 2021 that unknown threat actors exploited a zero-day vulnerability in their Secure Mobile Access (SMA) and NetExtender VPN client products in attacks targeting the company’s internal systems.

One month later, SonicWall fixed an actively exploited zero-day vulnerability impacting the SMA 100 series of SonicWall networking devices.