SonicWall Patches 3 Zero-Day FlawsFireEye: Vulnerabilities Could Be Used to Access Email, Pivot Further Into Systems
SonicWall has patched three zero-day vulnerabilities in the hosted and on-premises versions of its Email Security product after attackers began exploiting them last month.
FireEye Mandiant, which uncovered the flaws, says it has seen attackers using the three vulnerabilities to place web shells, or remote access scripts, on systems. That access can then be used to access an organization's email, FireEye says in a blog post. The attackers can also use access to pivot further into victims' systems, often referred to as lateral movement, the security firm adds.
The vulnerable software includes both hosted and on-premises Email Security versions 10.0.1 and up, according to a SonicWall advisory.
For Windows, organizations should update to Email Security version 10.0.9.6173 and version 10.0.9.6177 for hardware appliances and ESXi Virtual Appliances.
FireEye Mandiant detected attacks linked to the vulnerabilities and alerted SonicWall on March 26. Hotfixes and patches for two of the vulnerabilities, CVE-2021-20021 and CVE-2021-20022, were distributed privately to SonicWall customers on April 9, and a patch for the third one, CVE-2021-20023, was distributed Monday.
A Challenging Year
The latest findings add to what has been a challenging year for SonicWall. In February, the company disclosed that its own systems had been compromised via zero-day vulnerabilities in its Secure Mobile Access product. The company issued patches and upgraded the firmware for its SMA 100 series products.
There are also strong indications that SonicWall was subsequently subjected to an extortion attempt. A threat actor who published evidence of access to SonicWall's internal systems claimed the company paid him to prevent the publishing of sensitive data (see: SonicWall Was Hacked. Was It Also Extorted?).
FireEye says the new zero-day exploitation activity doesn’t link to a known attack group or to the earlier malicious activity against the SMA products. FireEye dubs the latest exploit activity UNC2683. UNC stands for uncategorized.
"We don't connect this group to the group that exploited the SMAs," says Charles Carmakal, senior vice president and CTO with FireEye Mandiant. "We have limited data on this group."
The most critical vulnerability, CVE-2021-20021, which requires no authentication to exploit, enables targeting an unsecured API endpoint, according to FireEye. An attacker can send a well-crafted XML document to that endpoint and create an administrator account.
The availability of that endpoint hinges on how the Email Security product is deployed. Email Security has a web-accessible administrative interface that's used for configuring the product, and sometimes that interface is exposed to the internet, FireEye writes. Internet scans show 700 interfaces are publicly exposed, it says.
FireEye says it identified a post-exploitation web shell on the system of one of its customers that had the latest version of Email Security exposed to the internet running on Windows Server 2012.
"The adversary-installed web shell was being served through the HTTPS-enabled Apache Tomcat web server bundled with SonicWall ES," the company writes. "Due to the web shell being served in the application’s bundled web server, we immediately suspected the compromise was associated with the SonicWall ES application itself."
FireEye found two other post-authentication vulnerabilities that are being used in concert with CVE-2021-20021. One of those, CVE-2021-20022, is a so-called Zip Slip directory transversal flaw, allowing an attacker to place malicious files in arbitrary locations.
When exploiting this flaw in Email Security, attackers abuse a branding assets feature that lets admins upload company logos or other content for the Email Security admin interface. But instead of logos, attackers can upload arbitrary and executable code, such as web shells. The files aren't validated, FireEye writes.
In one instance, FireEye says it saw a web shell known as BEHINDER put on a victim's system. That’s a lightweight web shell similar to one known as CHINA CHOPPER that takes commands from within HTTP requests, FireEye writes.
The other flaw, CVE-2021-20023, is also related to the branding feature. That flaw allows an attacker to use directory transversal to retrieve arbitrary files from the host. To put it another way, an attacker can access files outside of the branding feature directory and access any file on the operating system.