3 Zero-Day in SonicWall Enterprise Email Security Appliances actively exploited

Security vendor SonicWall has addressed three zero-day vulnerabilities affecting both its on-premises and hosted Email Security products.

SonicWall is warning its customers to update their hosted and on-premises email security products to address three zero-day vulnerabilities that are being actively exploited in the wild.

The three vulnerabilities addressed by the security vendor are:

• CVE-2021-20021: Email Security Pre-Authentication Administrative Account Creation: A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.
• CVE-2021-20022: Email Security Post-Authentication Arbitrary File Creation: SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to upload an arbitrary file to the remote host.
• CVE-2021-20023: Email Security Post-Authentication Arbitrary File Read: SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to read an arbitrary file on the remote host.

The CVE-2021-20021 and CVE-2021-20022 flaws were discovered by FireEye’s Mandiant team on March 26, 2021 while investigating an attack against one of its customers using an instance of SonicWall’s Email Security (ES) application running on a Windows Server 2012 installation. The CVE-2021-20023 flaw was also discovered by FireEye and reported to the SonicWall Product Security and Incident Response Team (PSIRT) on April 6, 2021.

“In March 2021, Mandiant Managed Defense identified three zero-day vulnerabilities in SonicWall’s Email Security (ES) product that were being exploited in the wild. These vulnerabilities were executed in conjunction to obtain administrative access and code execution on a SonicWall ES device.” reads the advisory published by FireEye. “The adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor, access files and emails, and move laterally into the victim organization’s network.”

FireEye researchers provided details about the way threat actors, tracked as UNC2682, exploited the issues.

Attackers exploited the CVE-2021-200221 and CVE-2021-20023 flaws to gain administrative access to the device and access configuration files to gather intelligence on existing accounts and read Active Directory credentials. The attackers leveraged the CVE-2021-20022 issue to upload a crafted ZIP archive containing a JSP-based web shell called BEHINDER. The BEHINDER is a publicly available, multi-platform web shell that allows attackers to establish encrypted connections with command and control (C2).

“With the addition of a web shell to the server, the adversary had unrestricted access to the command prompt, with the inherited permissions of the NT AUTHORITY\SYSTEM account.” continues the analysis published by FireEye.

“After clearing the SonicWall application “webui.json” log file, the adversary escalated their attack to credential harvesting in preparation of moving laterally into the victim’s network. The adversary relied on “living off the land” techniques rather than bringing their own tools into the environment, which often has the benefit of potentially avoiding detections from a security product.”

SonicWall is urging it customers to update the their installs

“Through the course of standard collaboration and testing, SonicWall has verified, tested and published patches to mitigate three zero-day vulnerabilities to its hosted and on-premises email security products.” reads the advisory published by the security vendor.

“In at least one known case, these vulnerabilities have been observed to be exploited ‘in the wild.’ It is imperative that organizations using SonicWall Email Security hardware appliances, virtual appliances or software installation on Microsoft Windows Server immediately upgrade to the respective SonicWall Email Security version listed below.”

The company published a step-by-step guidance on how to apply the updates, the following table provides additional details about affected versions.

AFFECTED VERSION	PATCHED VERSION	PSIRT ADVISORY ID	APPLICABLE CVEs
Email Security (ES) 10.0.4-PresentEmail Security 10.0.3Email Security 10.0.2Email Security 10.0.1	Email Security 10.0.9.6173 (Windows)	SNWLID-2021-0007SNWLID-2021-0008SNWLID-2021-0010	CVE-2021-20021CVE-2021-20022CVE-2021-20023
Email Security (ES) 10.0.4-PresentEmail Security 10.0.3Email Security 10.0.2Email Security 10.0.1	Email Security 10.0.9.6177 (Hardware & ESXi Virtual Appliance)	SNWLID-2021-0007SNWLID-2021-0008SNWLID-2021-0010	CVE-2021-20021CVE-2021-20022CVE-2021-20023
Hosted Email Security (HES) 10.0.4-PresentHosted Email Security 10.0.3Hosted Email Security 10.0.2Hosted Email Security 10.0.1	Hosted Email Security 10.0.9.6173 (Patched Automatically)	SNWLID-2021-0007SNWLID-2021-0008SNWLID-2021-0010	CVE-2021-20021CVE-2021-20022CVE-2021-20023

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, SonicWall)

[adrotate banner=”5″]

[adrotate banner=”13″]