SonicWall has released urgent patches for Critical Email Security product zero-day vulnerabilities CVE-2021-20021, CVE-2021-20022 and CVE-2021-20023.
In an urgent security alert, SonicWall released a security update on the threat on April 20, 2021:
“In at least one known case, these vulnerabilities have been observed to be exploited ‘in the wild.’ It is imperative that organizations using SonicWall Email Security hardware appliances, virtual appliances or software installation on Microsoft Windows Server immediately upgrade to the respective SonicWall Email Security version listed below.”SonicWall
Moreover, SonicWall Hosted Email Security (HES) was patched on April 19, 2021. So no action is needed for customers who use the hosted email security product.
Summary of CVEs patched:
- CVE-2021-20021: Email Security Pre-Authentication Administrative Account Creation.
- CVE-2021-20022: Email Security Post-Authentication Arbitrary File Creation.
- CVE-2021-20023: Email Security Post-Authentication Arbitrary File Read.
Patched versions of products:
- Email Security – 10.0.9.6173 (Windows)
- Email Security – 10.0.9.6177 (Hardware & ESXi Virtual Appliance)
- Hosted Email Security – 10.0.9.6173 (patched automatically).
Each of these versions address affected Email Security product versions 10.0.1, 10.0.2, 10.0.3, 10.0.4 or newer.
- SonicWall releases new firmware updates for SMA 100 Series 10.X And 9.X products
- Urgent patch for SonicWall SMA 100 Series zero-day vulnerability (CVE-2021-20016)
- New Mirai, Gafgyt IoT botnet variants target systems with Apache Struts, SonicWall vulnerability exploits
- Energy giant Shell latest victim in Accellion FTA cyberattacks