PRODUCT NOTICE: SonicWall Email Security & Anti-Spam BCC Notification
| SonicWall is committed to maintaining the privacy and security of personal information. For this reason, we are notifying you about a recent issue we discovered related to our hosted and on-prem Email Security products and Comprehensive Anti-Spam Service (CASS) used on next-generation firewalls.|
Because we value the importance of your privacy and information security, we are treating this matter very seriously.
SonicWall recently became aware that Email Security (ES) 10.0.7, Hosted Email Security (HES) 10.0.7 and the SonicWall Comprehensive Anti-Spam Service allow recipients of emails to potentially view the email addresses included in the ‘BCC’ field if the recipient clicks on the header information of the email.
Once SonicWall learned of the issue, we launched a full investigation into the scope of the incident and took corrective measures to address the matter.
What information was involved?
The only information potentially exposed are email address(es), if any, in the BCC line of the email header. This information is only available if the recipient accesses the header information of the email they receive. The BCC addresses are not accessible via emails sent as a reply to the original impacted email or if the impacted email is forwarded.
What actions were taken?
SonicWall takes the privacy and security of personal information seriously. As soon as SonicWall validated the issue, we moved quickly to ensure the 10.0.7 release for impacted products was removed from our site.
In addition, we are releasing version 10.0.8 for our Email Security (on-premise), HES (cloud) and CASS products. The 10.0.8 release addresses the issue such that BCC email addresses will not be accessible by a recipient if you are using this release.
What do customers using on-premise products need to do? • If your organization is using on-premise Email Security 10.0.7, we recommend you immediately discontinue the use of this version and either upgrade your firmware to release 10.0.8 or downgrade to release 10.0.6. • Email Security 10.0.8 will be rolled out on MySonicWall.com between now and September 21, 2020. Please review the KB article “How Do I Upgrade Firmware on an Email Security Appliance?” for assistance with the upgrade process or visit sonicwall.com/support. • If you’re unable to upgrade to 10.0.8 upon its release, SonicWall recommends downgrading to 10.0.6 until the upgrade can be completed. Please review the KB article, “How to Downgrade Firmware on an Email Security Appliance,” for assistance with the downgrade process or visit sonicwall.com/support. • SonicWall’s policies regarding support of prior release versions apply. What do customers using hosted products need to do? • HES is a cloud product and was automatically upgraded to 10.0.8 version on September 17, 2020. No further steps are necessary for customers using this product. • CASS is a cloud product and was automatically upgraded to 10.0.8 version on September 17, 2020. No further steps are necessary for customers using this product. Please note: All emails sent with addresses in the BCC field via HES, CASS and on-premise ES versions of 10.0.7 cannot be retroactively corrected with the update to 10.0.8.
As a company, we value honesty and openness, which is why we wanted to assure you that steps have been taken to prevent a similar issue from occurring in the future.
Please direct any questions to [email protected].