Skip to content

PRODUCT NOTICE: SonicWall Email Security & Anti-Spam BCC Notification

    SonicWall is committed to maintaining the privacy and security of personal information. For this reason, we are notifying you about a recent issue we discovered related to our hosted and on-prem Email Security products and Comprehensive Anti-Spam Service (CASS) used on next-generation firewalls.

Because we value the importance of your privacy and information security, we are treating this matter very seriously.

What happened?

SonicWall recently became aware that Email Security (ES) 10.0.7, Hosted Email Security (HES) 10.0.7 and the SonicWall Comprehensive Anti-Spam Service allow recipients of emails to potentially view the email addresses included in the ‘BCC’ field if the recipient clicks on the header information of the email.

Once SonicWall learned of the issue, we launched a full investigation into the scope of the incident and took corrective measures to address the matter.

What information was involved?

The only information potentially exposed are email address(es), if any, in the BCC line of the email header. This information is only available if the recipient accesses the header information of the email they receive. The BCC addresses are not accessible via emails sent as a reply to the original impacted email or if the impacted email is forwarded.

What actions were taken?

SonicWall takes the privacy and security of personal information seriously. As soon as SonicWall validated the issue, we moved quickly to ensure the 10.0.7 release for impacted products was removed from our site.

In addition, we are releasing version 10.0.8 for our Email Security (on-premise), HES (cloud) and CASS products. The 10.0.8 release addresses the issue such that BCC email addresses will not be accessible by a recipient if you are using this release.

What do customers using on-premise products need to do? • If your organization is using on-premise Email Security 10.0.7, we recommend you immediately discontinue the use of this version and either upgrade your firmware to release 10.0.8 or downgrade to release 10.0.6. • Email Security 10.0.8 will be rolled out on MySonicWall.com between now and September 21, 2020. Please review the KB article “How Do I Upgrade Firmware on an Email Security Appliance?” for assistance with the upgrade process or visit sonicwall.com/support. • If you’re unable to upgrade to 10.0.8 upon its release, SonicWall recommends downgrading to 10.0.6 until the upgrade can be completed. Please review the KB article, “How to Downgrade Firmware on an Email Security Appliance,” for assistance with the downgrade process or visit sonicwall.com/support. • SonicWall’s policies regarding support of prior release versions apply. What do customers using hosted products need to do? • HES is a cloud product and was automatically upgraded to 10.0.8 version on September 17, 2020. No further steps are necessary for customers using this product. • CASS is a cloud product and was automatically upgraded to 10.0.8 version on September 17, 2020. No further steps are necessary for customers using this product. Please note: All emails sent with addresses in the BCC field via HES, CASS and on-premise ES versions of 10.0.7 cannot be retroactively corrected with the update to 10.0.8.

As a company, we value honesty and openness, which is why we wanted to assure you that steps have been taken to prevent a similar issue from occurring in the future.

Please direct any questions to privacy@sonicwall.com.

Thank you,

SonicWall

Previous article SonicWall DoS & XSS Vulnerabilities
Next article SonicWall SSL-VPN Misconfiguration Leads To Possible Domain Name (DNS) Collision Vulnerability

More SonicWall News Posts

  • Product Security Notice:  SONICWALL SSL-VPN SMA100 Series Vulnerabilities
    December 7, 2023 Esther McNally

    Product Security Notice: SONICWALL SSL-VPN SMA100 Series Vulnerabilities

    SONICWALL SSL-VPN SMA100 version 10.X is affected by multiple vulnerabilities Overview CVE-2023-44221: Post Authentication OS Command Injection Vulnerability (CVSS Score: 7.2) Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege...

    Read now
  • Turn On Your MFA
    November 9, 2023 Esther McNally

    Turn On Your MFA

    With millions of stolen credentials currently up for sale, the time for stronger authentication is now. In “Star Trek: The Next Generation,” Jean-Luc Picard famously said, “It is possible to commit no mistakes and still lose.” This applies to many...

    Read now
  • Password Pro Tips
    November 7, 2023 Esther McNally

    Password Pro Tips

    A solid password is instrumental to keeping your important accounts and information safeguarded. October is typically associated with pumpkin spice lattes, college football, crunching leaves underfoot and ghostly fun, but did you know it’s also Cybersecurity Awareness Month? This is...

    Read now