SonicWall Email Security (ES) – Zero-Day Vulnerabilities being Actively Exploited

What you need to know

Are the disclosed zero day vulnerabilities patched? Partially; SonicWall advises advises all customers and partners to upgrade to the 10.0.9.6173 Hotfix for Windows users, and the 10.0.9.6177 Hotfix for hardware and ESXi virtual appliance users. SonicWall Hosted Email Security product was automatically updated for all customers and no additional action is required for patching purposes.

Are workarounds available? YES; apply the hotfix (mentioned above)

Are these vulnerabilities being actively exploited? YES; according to Mandiant, the adversary leveraged these vulnerabilities to install a backdoor, access files and emails, and move laterally into the victim organization’s network.

Additional Information

According to Mandiant, threat actors are currently using three zero-day vulnerabilities in SonicWall’s Email Security(ES) product to bypass authentication (CVE-2021-20021), read sensitive files on the device (CVE-2021-20023), and modify local files or upload web shells which they could use as backdoors (CVE-2021-20022).

Recommended Actions
To mitigate the three CVEs, Mandiant and SonicWall recommend upgrading Email Security to version 10.0.9.6173 (Windows) or 10.0.9.6177 (Hardware & ESXi Virtual Appliances). Organizations using SonicWall Hosted Email Security (HES) products were automatically updated and no action is required for those customers. Read more at FireEye.

Additional resources:

• https://us-cert.cisa.gov/ncas/current-activity/2021/04/21/sonicwall-releases-patches-email-security-products
• https://therecord.media/hackers-go-after-sonicwall-email-appliances-with-three-zero-days/