Multiple Vulnerabilities in SonicWall Email Security Could Allow for Arbitrary Code Execution

DESCRIPTION:
Multiple vulnerabilities in SonicWall Email Security (ES) could allow
for arbitrary code execution. Successful exploitation of these
vulnerabilities could allow for arbitrary code execution. SonicWall
Email Security (ES) is an email security solution that provides
comprehensive inbound and outbound protection, and defends against
advanced email-borne threats such as ransomware, zero-day threats, spear
phishing and business email compromise (BEC). The solution can be
deployed as a physical appliance, virtual appliance, software
installation, or a hosted SaaS solution. Depending on the privileges
associated with the application, an attacker could then install
programs; view, change, or delete data; or create new accounts with full
user rights. Applications that are configured to have fewer user rights
on the system could be less impacted than those that operate with
administrative user rights.

IMPACT:
Multiple vulnerabilities have been discovered in SonicWall Email
Security (ES) that could allow for arbitrary code execution. These
vulnerabilities can be exploited using a chain style attack which is
included in the below vulnerabilities:

* A pre-authentication admin account creation vulnerability that could
enable a malicious actor to create an admin account by sending a
specially crafted HTTP request to the remote host (CVE-2021-20021)
* A post-authentication arbitrary file creation vulnerability whereby a
post-authenticated attacker could upload an arbitrary file to the remote
host (CVE-2021-20022)
* A post-authentication arbitrary file read vulnerability whereby an
attacker could read an arbitrary file from the remote host (CVE-2021-20023)

Successful exploitation of these vulnerabilities could allow for
arbitrary code execution. Depending on the privileges associated with
the application, an attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights.
Applications that are configured to have fewer user rights on the system
could be less impacted than those that operate with administrative user
rights.

SYSTEM AFFECTED:
* SonicWall Email Security (ES) Versions 10.0.1-.4 – Present
* SonicWall Hosted Email Security (HES) Versions 10.0.1-.4 – Present

RECOMMENDATIONS:
We recommend the following actions be taken:

* Apply appropriate patches provided by SonicWall to vulnerable systems
immediately after appropriate testing.
* Block external access at the network boundary, unless external parties
require service.
* If global access isn’t needed, filter access to the affected computer
at the network boundary. Restricting access to only trusted computers
and networks might greatly reduce the likelihood of successful exploits.
* Run all software as a nonprivileged user with minimal access rights.
To mitigate the impact of a successful exploit, run the affected
application as a user with minimal access rights.
* Deploy network intrusion detection systems to monitor network traffic
for malicious activity.
* Deploy NIDS to detect and block attacks and anomalous activity such as
requests containing suspicious URI sequences. Since the webserver may
log such requests, review its logs regularly.
* Implement multiple redundant layers of security. Since this issue may
be leveraged to execute code, we recommend memory-protection schemes,
such as nonexecutable stack/heap configurations and randomly mapped
memory segments. This tactic may complicate exploit attempts of
memory-corruption vulnerabilities.

REFERENCES:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20021
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20022
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20023
https://www.fireeye.com/blog/threat-research/2021/04/zero-day-exploits-in-sonicwall-email-security-lead-to-compromise.html
https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/

Share