Unknown adversary found to be exploiting security flaws in the wild

Zero-day vulnerabilities in SonicWall email client led to network access, backdoors installed

FireEye has released details of zero-day vulnerabilities in SonicWall’s Email Security software which allowed attackers to obtain access to corporate networks and install backdoors on victim devices.

In March, researchers discovered three zero-day security flaws that were actively being exploited in the wild.

These included unauthorized administrative account creation (CVE-2021-20021), post-authentication arbitrary file upload (CVE-2021-20022), and post-authentication arbitrary file read (CVE-2021-20023) bugs.

“The adversary leveraged these vulnerabilities, with intimate knowledge of the SonicWall application, to install a backdoor, access files and emails, and move laterally into the victim organization’s network,” a technical write-up reads.

RELATED SonicWall updates users after ‘highly sophisticated’ cyber-attack leverages zero-day vulnerabilities

SonicWall Email Security (ES) provides protection against email-borne threats such as ransomware, zero-day threats, spear phishing, and business email compromise (BEC).

It can be deployed as a physical appliance, virtual appliance, software installation, or a hosted SaaS solution.

Chain reaction

Researchers from FireEye’s Mandiant threat research team noted how the attacker was able to chain the three vulnerabilities to gain access to a potential victim’s entire network.

SonicWall ES includes a feature which enables users to upload branding files such as a company logo. However, due to a lack of file validation, an attacker can upload arbitrary files, including executable code, such as web shells.

The blog post reads: “Once uploaded, these branding package ZIP archives are normally expanded and saved to the <SonicWall ES install path>\data\branding directory.

“However, an adversary could place malicious files in arbitrary locations, such as a web accessible Apache Tomcat directory, by crafting a ZIP archive containing a file within a sequence of directory traversal notations.”

Read more of the latest network security news

Another vulnerability in the branding feature allowed an adversary to retrieve arbitrary files from the host by sending crafted HTTP GET requests to a particular resource.

“While the working directory of this branding feature is <SonicWall ES install path>\data\updates, a directory-traversal vulnerability allows an adversary to access files located outside of this directory.

“As the Apache Tomcat webserver handling this request is operating as the NT AUTHORITY\SYSTEM account, any file on the operating system can be accessed,” the researchers explained.

Combined, the bug trio enabled the creation of a new administrator account on the SonicWall ES device; exposure of hashed passwords for existing, locally configured administrative accounts; the creation of a web shell in an arbitrary directory; and the real-time debugging of exploitation success and failure.

Evading detection

After gaining access to the administrative details, the attacker harvested credentials in order to move laterally across the network.

“The adversary relied on ‘living off the land’ techniques rather than bringing their own tools into the environment, which often has the benefit of potentially avoiding detections from a security product,” the post reads.

The attacker was able to access in-memory sensitive credentials and gain access to a file containing daily archived emails processed by SonicWall ES.

READ MORE Zero-day vulnerability in SonicWall products actively exploited in the wild

“At the time of activity, the victim organization was using the same local Administrator password across multiple hosts in their domain, which provided the adversary an easy opportunity to move laterally under the context of this account – highlighting the value of randomizing passwords to built-in Windows accounts on each host within a domain.

“We observed the adversary leveraging Impacket’s publicly available WMIEXEC.PY tool to access several internal hosts, which enabled remote command execution over Microsoft’s DCOM protocol via Windows Management Instrumentation (WMI).

“The adversary managed to briefly perform internal reconnaissance activity prior to being isolated and removed from the environment.”

Previous attacks

The recent disclosures are the latest in a series of serious vulnerabilities unearthed in SonicWall products.

In January 2021, SonicWall announced it had been the victim of a cyber-assault by “highly sophisticated threat actors”, who targeted vulnerabilities within its SMA 100 Series, a secure remote access client for use in corporate environments.

A month later, researchers from NCC Group confirmed that a zero-day bug in the SMA 100 Series was being actively exploited in the wild.


The latest vulnerabilities were patched before FireEye went public with its disclosure.

SonicWall has advised customers and partners to upgrade to the hotfix for Windows users, and the hotfix for hardware and ESXi virtual appliance users.

The SonicWall Hosted Email Security product was automatically updated for all customers.

The hotfixes will be superseded by the upcoming SonicWall ES 10.0.10 release.

YOU MAY ALSO LIKE Feds zap Exchange Server backdoors as Microsoft offers patches for further flaws