Zero-day vulnerability in SonicWall On-premise Email Security (ES)

The vulnerability was used in a chained attack along with two other post-authentication vulnerabilities #VU52039 and #VU52377 to fully compromise the affected system.

Advisory: SB2021041210 - Multiple vulnerabilities in SonicWall On-premise Email Security (ES) and Hosted Email Security (HES)

Vulnerable component: SonicWall On-premise Email Security (ES)

CVE-ID: CVE-2021-20021

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-287 - Improper Authentication

Description:

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error in when processing authentication requests within the "/createou?data=", responsible for administration capabilities, specifically within the feature that allows application administrators to authorize an additional administrator account from a separate Microsoft Active Directory Organization Unit (AD OU). Requests to this form are not verified to require previous authentication to the appliance. A remote non-authenticated attacker can send a specially crafted XML document via HTTP GET or POST method, create a “role.ouadmin” account and authenticate to the application as an administrator.

Note, the vulnerability is being actively exploited in the wild.

External links: