Three Zero-Day Vulnerabilities in SonicWall Email Security are Being Actively Exploited

Share this article on:

Three zero-day vulnerabilities have been identified in SonicWall Email Security products that are being actively exploited in the wild by at least one threat actor. The vulnerabilities can be chained to gain administrative access to enterprise networks and achieve code execution.

SonicWall Email Security solutions are deployed as a physical appliance, virtual appliance, software installation, or as a hosted SaaS solution and provide protection from phishing, spear phishing, malware, ransomware, and BEC attacks. The solutions do not need to be Internet facing, but hundreds are exposed to the Internet and are vulnerable to attack.

In one instance, a threat actor with intimate knowledge of the SonicWall application exploited the vulnerabilities to gain administrative access to the application and installed a backdoor that provided persistent access. The threat actor was able to access files and emails, harvest credentials from memory, and then used those credentials to move laterally within the victim’s network.

The three vulnerabilities were identified by the Mandiant Managed Defense team. SonicWall has now developed, tested, and released patches to correct the flaws. The SonicWall Hosted Email Security product was automatically updated on April 21, 2021 so customers using the hosted email security solution do not need to take any action, but users of other vulnerable SonicWall Email Security products will need to apply the patches to prevent exploitation.

SonicWall said “It is imperative that organizations using SonicWall Email Security hardware appliances, virtual appliances or software installation on Microsoft Windows Server immediately upgrade.”

The most serious vulnerability is a pre-authentication flaw with a severity score of 9.8 out of 10. The other two vulnerabilities have CVSS scores of 7.2 and 6.7.

  • CVE-2021-20021 – Pre-authentication vulnerability allowing remote attackers to create administrative accounts by sending specially crafted HTTP requests to a remote host. (CVSS 9.8)
  • CVE-2021-20022 – Post-authentication vulnerability allowing uploads of arbitrary files to a remote host. (CVSS 7.2)
  • CVE-2021-20023 – Post-authentication vulnerability allowing arbitrary file read on a remote host. (CVSS 6.7)

Mandiant identified the threat actor exploiting the vulnerabilities as UNC2682 and blocked the attack before the threat group could achieve its final aim, so the objective of the attack is unknown. Other threat groups may also attempt to exploit the vulnerabilities to obtain persistent access to enterprise networks and steal sensitive data.

“At the time of activity, the victim organization was using the same local Administrator password across multiple hosts in their domain, which provided the adversary an easy opportunity to move laterally under the context of this account – highlighting the value of randomizing passwords to built-in Windows accounts on each host within a domain,” explained Mandiant. “The adversary managed to briefly perform internal reconnaissance activity prior to being isolated and removed from the environment.”

Affected Product Version Patched Version CVEs
SonicWall Email Security versions 10.0.4-Present 10.0.9.6173 (Windows) and 10.0.9.6177 (Hardware & ESXi Virtual Appliance) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Email Security 10.0.3 10.0.9.6173 (Windows) and 10.0.9.6177 (Hardware & ESXi Virtual Appliance) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Email Security 10.0.2 10.0.9.6173 (Windows) and 10.0.9.6177 (Hardware & ESXi Virtual Appliance) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Email Security 10.0.1 10.0.9.6173 (Windows) and 10.0.9.6177 (Hardware & ESXi Virtual Appliance) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Email Security 7.0.0-9.2.2 Active support license allows upgrade to above secure versions but without an active support license upgrades are not possible CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Hosted Email Security 10.0.4-Present HES 10.0.9.6173 (Automatically patched) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Hosted Email Security 10.0.3 HES 10.0.9.6173 (Automatically patched) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Hosted Email Security 10.0.2 HES 10.0.9.6173 (Automatically patched) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023
SonicWall Hosted Email Security 10.0.1 HES 10.0.9.6173 (Automatically patched) CVE-2021-20021; CVE-2021-20022; CVE-2021-20023

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On