3 Zero-Day exploits hit enterprise email security appliances of SonicWall
Three extremely crucial security flaws have been addressed by SonicWall in its host as well as on-premises email security (ES) products which are highly abused in the wild. The flaws are tracked as CVE-2021-20021 & CVE-2021-20022, and later on, detected & reported to the company by the subsidiary of FireEye’s Mandiant on 26th of March 2021, post the detection of post-exploitation web shell activity by the cybersecurity organization. These activities took place on an internet-accessible system within a customer’s environment that possessed SonicWall’s ES application running on a Windows Server 2012 installation. FireEye detected and identified the third flaw, CVE-2021-20023, and it was revealed to SonicWall on April 6, 2021. FireEye is tracking the malicious activity under the moniker UNC2682.
"These vulnerabilities were executed in conjunction to obtain administrative access and code execution on a SonicWall ES device," researchers Josh Fleischer, Chris DiGiamo, and Alex Pennino stated.
“The adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor, access files, and emails, and move laterally into the victim organization's network."
A short summary of the three vulnerabilities are given down below -
-CVE-2021-20021(CVSS score: 9.4) - Permits an attacker to make an administrative account by sending a crafted HTTP request to the remote host
-CVE-2021-20022(CVSS score: 6.7) - Permits a post-authenticated cyberattacker to upload a random file to the remote host, and
-CVE-2021-20023(CVSS score: 6.7) - A directory traversal vulnerability that allows a post-authenticated attacker to read a random file on the remote host.
***With the addition of a web shell to the server, the adversary had unrestricted access to the command prompt, with the inherited permissions of the NT AUTHORITY\SYSTEM account, *** FireEye stated, adding the cyberattacker then made use of "living off the land"
(LotL)tricks and techniques to harvest credentials, move laterally across the network, and at the same time "compress a subdirectory [that] contains daily archives of emails processed by SonicWall ES."
The Milpitas-headquartered network security organization has labeled the findings as a result of routine collaboration along with third-party researchers and forensic analysis organizations to make sure that its products stick to the best practices of security.
***Through the course of this process, SonicWall was made aware of and verified certain zero-day vulnerabilities — in at least one known case, being exploited in the wild — to its hosted and on-premises email security products, *** the company said in a statement to The Hacker News.
*** SonicWall designed, tested, and published patches to correct the issues and communicated these mitigations to customers and partners.***