Zero-Day Vulnerabilities in SonicWall Email Security

SonicWall has released security updates for their Email Security (ES) product to patch three zero-day vulnerabilities. There have been reports of active exploitation of these vulnerabilities.

The vulnerabilities are:

• CVE-2021-20021 — A pre-authentication administrative account creation vulnerability that allows an attacker to potentially create an administrative account by sending a crafted HTTP request to the remote host

• CVE-2021-20022 and CVE-2021-20023 — A post-authentication arbitrary file creation or read vulnerability that allows a post-authenticated attacker to potentially upload or read an arbitrary file on the remote host

These vulnerabilities have been fixed in ES versions 10.0.1, 10.0.2, 10.0.3 and 10.0.4-Present.
 
Administrators are advised to upgrade their ES appliances or software installation to the latest versions (10.0.9.6177 or 10.0.9.6173) immediately.
 
Organisations using legacy ES versions 7.0.0 - 9.2.2 with an active support license are strongly advised to upgrade to the latest ES version.
 
More information is available here:
https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/
https://www.fireeye.com/blog/threat-research/2021/04/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise.html