SonicWall is urging its customers to apply its newest software patches as attackers have been exploiting three zero-day code vulnerabilities to attack unsuspecting users. The security company said on Tuesday that fixes had been released to patch the three critical vulnerabilities in their products.
SonicWall provides advanced security solutions designed to protect email and communication traffic on business and corporate networks. Its products can be deployed as a physical appliance, virtual appliance, and software installation, as well as a cloud-hosted (SaaS) solution.
Three Zero-Day Vulnerabilities Detected
In a statement, the company warned that organizations using SonicWall Email Security (ES) hardware appliances, virtual appliances, and software installations on Microsoft Windows Server are vulnerable to attacks as three software bugs were discovered to be exploited by malicious actors, with at least one active exploitation of appliance being recorded.
The vulnerabilities tracked as CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023, impact SonicWall ES/Hosted Email Security (HES) versions 10.0.1 and above.
CVE-2021-20021, described as "Email Security Pre-Authentication Administrative Account Creation," could allow attackers to create an administrative account to the remote host.
CVE-2021-20022, or "Email Security Post-Authentication Arbitrary File Creation," could be used by post-authenticated attackers to upload arbitrary files to the remote host.
CVE-2021-20023, "Email Security Post-Authentication Arbitrary File Read," allows post-authenticated attackers to read arbitrary files from the remote host.
The vulnerabilities were initially discovered by FireEye's Mandiant researchers, who disclosed the bugs to SonicWall Product Security Incident Response Team.
Josh Fleischer, Chris DiGiamo, and Alex Pennino, members of the Mandiant team, said that the flaws were used in an attack chain, where the hackers obtained administrative access and executed code on vulnerable ES products, including installing a backdoor.
SonicWall has addressed the issue and released security patches, available in product versions 10.0.9.6173 for Email Security or 10.0.9.6177 for Hardware/ESXi Virtual Appliance.
Clients who use SonicWall Hosted Email Security do not need to take action as the system was automatically updated in version 10.0.9.6173.
However, the company warns that SonicWall ES versions 7.0.0-9.2.2, which are end-of-life products, cannot be patched. SonicWall encourages users of these legacy products to upgrade immediately.