Security hardware manufacturer SonicWall reported three zero-day vulnerabilities affecting its on-premises and hosted Email Security products, at least one of them has been exploited in an attack. The company urges customers to patch them as soon as possible.
“In at least one known case, these vulnerabilities have been observed to be exploited ‘in the wild,'” SonicWall said in yesterday’s security advisory.
All organizations using SonicWall’s Email Security hardware appliances, virtual appliances, or software installations on Microsoft Windows Server must immediately upgrade to a patched version.
It was Mandiant Managed Defense researchers Josh Fleischer and Chris DiGiamo who reported three zero-days.
- CVE-2021-20021: Email Security Pre-Authentication Administrative Account Creation vulnerability – an attacker can create an administrative account by sending a crafted HTTP request to the remote host;
- CVE-2021-20022: Email Security Post-Authentication Arbitrary File Creation vulnerability – a post-authenticated attacker can upload an arbitrary file to the remote host;
- CVE-2021-20023: Email Security Post-Authentication Arbitrary File Read vulnerability – a post-authenticated attacker can read an arbitrary file from the remote host.
SonicWall released security updates for the bugs on April 9th and April 19th.
Attackers exploited these vulnerabilities in a series, one by one, to gain administrative access and execute malicious code on SonicWall ES devices.
“The adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor, access files and emails, and move laterally into the victim organization’s network,” FireEye said in a post.
The full list of SonicWall products affected by the three zero-days is available from FireEye.
A step-by-step guide on applying security updates is available in this knowledgebase article from SonicWall.