SonicWall Tackles Critical Security Vulnerabilities Targeting Email Security Solutions
SonicWall has recently patched three severe security vulnerabilities in its email security products that have been exploited in the wild. These vulnerabilities, identified as CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023, were disclosed following an investigation by FireEye’s Mandiant subsidiary. The flaws were reported on March 26, 2021, after Mandiant observed post-exploitation activity on a system running SonicWall’s Email Security application on Windows Server 2012. A third vulnerability was brought to SonicWall’s attention on April 6, 2021.
The compromised systems are primarily hosted or on-premises email security solutions utilized by organizations, making this a significant concern for businesses relying on SonicWall’s technology. FireEye is monitoring the exploitation of these vulnerabilities under the designation UNC2682. Attackers successfully leveraged these vulnerabilities to gain administrative access and execute code within affected environments, thereby compromising the integrity of their systems.
The vulnerabilities offer distinct avenues for exploitation. CVE-2021-20021 allows an attacker to create an administrative account via a manipulated HTTP request, while CVE-2021-20022 enables a post-authenticated attacker to upload arbitrary files to the remote host. CVE-2021-20023 is a directory traversal vulnerability that permits the reading of arbitrary files on the remote host. These vulnerabilities collectively provided attackers significant access to sensitive information, including configuration files that contained Active Directory credentials.
Researchers involved in the security analysis noted that the adversaries had a detailed understanding of the SonicWall application, enabling them to install backdoors, access critical files and emails, and move laterally within the victim organization’s network. The introduction of a web shell allowed attackers unrestricted command prompt access under the NT AUTHORITY\SYSTEM account, facilitating further credential harvesting and lateral movement across the network.
The attacks observed included internal reconnaissance activities conducted by the threat actor before their eventual isolation from the network, underscoring the importance of rapid response measures to mitigate such incidents. The underlying motive for the intrusion remains undetermined.
SonicWall has encouraged its users to upgrade their systems to the specified hotfix versions to ensure protection against exploitation. Users of the SonicWall Hosted Email Security product had their systems automatically patched as of April 19, requiring no further action.
In an official statement, SonicWall confirmed that the identification and remediation of these vulnerabilities resulted from ongoing collaboration with third-party researchers and forensic analysis teams. The firm is committed to maintaining the security of its products and has issued patches to rectify these critical issues.
Reflecting on the recent breaches, organizations worldwide must remain vigilant in reviewing their cybersecurity infrastructure. Effective measures against attacks may include implementing the MITRE ATT&CK framework, focusing on tactics such as initial access, privilege escalation, and persistence, which are crucial for understanding potential methodologies employed by attackers. By maintaining strong security practices and ensuring timely updates, businesses can better safeguard against similar threats.
