Executive Summary
CVE-2021-20021 is a critical vulnerability affecting SonicWall Email Security versions 10.0.9.x. This vulnerability allows a remote, unauthenticated attacker to create an administrative account by sending a specially crafted HTTP request to the affected system. This issue has been actively exploited in the wild, particularly in ransomware campaigns. The sectors and countries targeted by these campaigns include various industries across the United States and Europe. Immediate action is required to mitigate the risks associated with this vulnerability.
Technical Information
CVE-2021-20021 is a severe security flaw in SonicWall Email Security products. The vulnerability is identified by the CVE ID: CVE-2021-20021 and has been assigned a CVSS v3.1 score of 9.8 (Critical), indicating its high impact and ease of exploitation. The vulnerability stems from CWE-269 (Improper Privilege Management), which allows an attacker to gain unauthorized administrative access.
The affected products include SonicWall Email Security versions before 10.0.9.6103 and SonicWall Hosted Email Security versions before 10.0.9.6103. The vulnerability can be exploited remotely without any authentication, making it highly dangerous. The EPSS Score of 1.01% indicates a significant probability of exploitation activity in the next 30 days.
The technical root cause of this vulnerability lies in the improper handling of privilege management within the SonicWall Email Security system. An attacker can exploit this issue by sending a specially crafted HTTP request to the affected system. This request allows the attacker to create an administrative account without any authentication, thereby gaining full control over the system.
Exploitation in the Wild
This vulnerability has been actively exploited in the wild, particularly in ransomware campaigns. Attackers leverage this issue to gain administrative access to the SonicWall Email Security system, which can then be used to further compromise the network. The exploitation of this vulnerability is part of an exploit chain that includes CVE-2021-20022. Indicators of Compromise (IOCs) include unusual administrative account creation and unexpected HTTP requests to the SonicWall Email Security system.
APT Groups using this vulnerability
While specific Advanced Persistent Threat (APT) groups exploiting this vulnerability have not been publicly identified, the use of this vulnerability in ransomware campaigns suggests that financially motivated threat actors are likely involved. These campaigns have targeted various sectors across the United States and Europe, indicating a broad and opportunistic approach by the attackers.
Affected Product Versions
The products affected by CVE-2021-20021 include: - SonicWall Email Security versions before 10.0.9.6103 - SonicWall Hosted Email Security versions before 10.0.9.6103
Organizations using these versions are at high risk and should take immediate action to mitigate the vulnerability.
Workaround and Mitigation
To mitigate the risks associated with CVE-2021-20021, organizations should: - Apply Patches: SonicWall has released patches to address this vulnerability. Users should update to the latest version of SonicWall Email Security (10.0.9.6103 or later). - Monitor Network Traffic: Implement network monitoring to detect any unusual activity that may indicate exploitation attempts. This includes monitoring for unexpected HTTP requests and administrative account creation. - Review Administrative Accounts: Regularly review administrative accounts and remove any unauthorized accounts. This helps in identifying and mitigating any unauthorized access.
References
For further information and detailed analysis, please refer to the following resources: - CVE Details - NVD - SonicWall Security Advisory - CISA KEV Catalog - Nopsec Bulletin - Rapid7 Vulnerability Database - Blackpoint Cyber Blog - Google Cloud Threat Intelligence - CISA Alert
Rescana is here for you
At Rescana, we are committed to helping our customers navigate the complex landscape of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform provides comprehensive monitoring and management of vulnerabilities, ensuring that your organization remains protected against emerging threats. If you have any questions about this report or any other issue, please do not hesitate to contact us at ops@rescana.com.
Comentários