icetray - Fotolia
Three zero-day vulnerabilities impacting SonicWall's Email Security product were exploited in the wild last month, and the vendor is urging customers to update their software immediately.
The security vendor, which was breached via its own zero-days earlier this year, released a security notice Tuesday that both instructed customers to patch their versions of Email Security (ES) and disclosed that the group of vulnerabilities has been exploited "in at least one known case," though the attack was not ultimately successful.
The zero-days affect Email Security 10.0.1 onward (Windows, hardware and ESXi Virtual Appliance versions) and Hosted Email Security 10.0.1 onward. SonicWall's security notice mentions that Email Security versions 7.0.0-9.2.2 are also impacted, but since they're no longer being supported, customers with an active license can update to the latest product versions.
The zero days include CVE-2021-20021, a critical vulnerability allowing an unauthorized party to create an administrative account; CVE-2021-20022, an arbitrary file upload vulnerability that can be exploited post-authentication; and CVE-2021-20023, an arbitrary file retrieval vulnerability that can, again, be exploited post-authentication.
Email Security received a hotfix for two of the vulnerabilities on April 9, while a third, CVE-2021-20023, was patched on April 19. Hosted Email Security was also patched April 19.
FireEye, which discovered the vulnerabilities and their exploitation in March, published a threat research blog post Tuesday covering the vulnerabilities in greater detail. According to the post, the vulnerabilities can be chained together to infiltrate and move laterally across a victim network. In fact, they already have been in at least one case.
"These vulnerabilities were executed in conjunction to obtain administrative access and code execution on a SonicWall ES device. The adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor, access files and emails, and move laterally into the victim organization's network," the post read.
The blog post also noted that Mandiant Managed Defense first detected the attack and exploitation after identifying suspicious web shells inside a customer environment. Mandiant threat analysts later determined the attackers were using previously unknown vulnerabilities in SonicWall ES and engaging in post-exploit activity to erase any evidence of the intrusion; FireEye noted that the customer luckily had additional log files and a virtual server snapshot that allowed them to collect data and complete the investigation.
Mandiant, which is part of FireEye, tracks the attack as UNC2682, and according to the blog, its efforts "prevented UNC2682 from completing their mission." However, because of this, the attacker's objectives are currently unknown.
According to FireEye, CVE-2021-20021 and CVE-2021-20022 were disclosed to SonicWall on March 26 before being acknowledged on March 29. CVE-2021-20023, meanwhile, was reported on April 6 before acknowledgement and validation on April 9.
In its initial advisories for CVE-2021-20021 and CVE-2021-20022 on April 9, SonicWall did not disclose the exploitation or identify the vulnerabilities as zero-days. The vendor did not disclose exploitation until Tuesday's security notice a week and a half later. SearchSecurity contacted SonicWall for comment on the delayed announcement, and the vendor sent the following general statement via email:
"SonicWall routinely collaborates with third-party researchers and forensic analysis firms to ensure that our products meet or exceed security best practices. Through the course of this process, SonicWall was made aware of and verified certain zero-day vulnerabilities -- in at least one known case, being exploited in the wild -- to its hosted and on-premises email security products. SonicWall designed, tested and published patches to correct the issues and communicated these mitigations to customers and partners," the statement read. "SonicWall strongly encourages customers -- as well as organizations worldwide -- to maintain diligence in patch management to strengthen the community's collective security posture."
Alexander Culafi is a writer, journalist and podcaster based in Boston.