Three Actively Exploited Zero-Day Vulnerabilities in SonicWall Email Security

Three zero-day vulnerabilities were found in SonicWall Email Security solutions are being actively exploited in the wild by one or more threat actors. The vulnerabilities may be chained to obtain admin access to enterprise systems and do code execution.

SonicWall Email Security products are used as a physical machine, virtual appliance, as a hosted SaaS solution or software installation, and offer security from phishing, spear phishing, ransomware, malware, and BEC attacks. The products don’t require Internet-facing, however, hundreds are open to the web and are prone to attack.

In one case, a threat actor who has a personal understanding of the SonicWall application took advantage of the vulnerabilities and got administrative access to the software application. Installing a backdoor granted the threat actor persistent access. With the ability to access files and email messages, and collect credentials from memory, the threat actor then utilized that information to move laterally throughout the victim’s system.

The Mandiant Managed Defense team identified the three vulnerabilities. SonicWall has currently created, analyzed, and launched patches to fix the vulnerabilities. The SonicWall Hosted Email Security solution was immediately updated on April 21, 2021 so that clients utilizing the hosted email security solution have no need to do anything, however, users of other unsecured SonicWall Email Security solutions must implement the patches to avoid being exploited.

SonicWall stated that organizations utilizing SonicWall Email Security virtual appliances, hardware appliances, or software installation on Microsoft Windows Server need to upgrade right away.

The really serious vulnerability is the pre-authentication vulnerability having an assigned CVSS score of 9.8 of 10. The CVSS scores of the other two vulnerabilities were 7.2 and 6.7.

The pre-authentication vulnerability CVE-2021-20021 can allow remote hackers to set up administrative accounts by transmitting specially created HTTP requests to a remote host. (CVSS 9.8)

The post-authentication vulnerability CVE-2021-20022 can allow the hacker to upload arbitrary files to a remote host. (CVSS 7.2)

Another post-authentication vulnerability CVE-2021-20023 can allow an arbitrary file read on a remote host. (CVSS 6.7)

Mandiant discovered the threat actor taking advantage of the vulnerabilities as UNC2682 and stopped the attack before the threat group can accomplish its final goal, thus the purpose of the attack is not known. Other threat groups might also be attempting to take advantage of the vulnerabilities to get persistent access to business networks and swipe sensitive information.

During the activity, the victim company was utilizing identical local Administrator password in several hosts in their domain, that allowed the threat actor to easily move laterally within the context of this account. Therefore, randomizing passwords to pre-installed Windows accounts on every host within a domain is vital. The threat actor was able to quickly execute internal reconnaissance activity before being singled out and taken out from the system.

The following product versions are affected by the vulnerabilities:

  • SonicWall Hosted Email Security 10.0.1 HES (Automatically patched)
  • SonicWall Hosted Email Security 10.0.2 HES (Automatically patched)
  • SonicWall Hosted Email Security 10.0.3 HES (Automatically patched)
  • SonicWall Hosted Email Security 10.0.4-Present – HES (Automatically patched)
  • SonicWall Email Security 10.0.1- (Windows) and (Hardware & ESXi Virtual Appliance)
  • SonicWall Email Security 10.0.2 – (Windows) and (Hardware & ESXi Virtual Appliance)
  • SonicWall Email Security 10.0.3 – (Windows) and (Hardware & ESXi Virtual Appliance)
  • SonicWall Email Security versions 10.0.4-Present – (Windows) and (Hardware & ESXi Virtual Appliance)
  • SonicWall Email Security 7.0.0-9.2.2- Active support license enables upgrade to previously secure versions however with no active support license, upgrades aren’t feasible.
Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.