CVE-2021-20022
Published: 09 April 2021
Summary
CVE-2021-20022 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Sonicwall Email Security. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 3.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
SonicWall Email Security version 10.0.9.x is affected by an arbitrary file upload vulnerability tracked as CVE-2021-20022 and assigned CWE-434. The flaw permits a remote attacker to place an unrestricted file on the host after authentication, carrying a CVSS 3.1 score of 7.2 with network attack vector, low complexity, and high impact on confidentiality, integrity, and availability.
A post-authenticated attacker who already possesses valid administrative credentials can exploit the weakness over the network to upload and execute arbitrary files, resulting in full control of the affected Email Security appliance.
The official SonicWall advisory SNWLID-2021-0008 details the issue and corresponding remediation steps, while CISA lists the CVE in its Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-7485
Vulnerability details
SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to upload an arbitrary file to the remote host.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of file uploads to block arbitrary/unrestricted files as exploited in CVE-2021-20022.
Disables or restricts the unnecessary file-upload capability that the post-authenticated attacker abuses to achieve code execution.
Limits which authenticated administrators can perform system-changing file uploads, reducing the attack surface described in the CVE.