The company has released hotfixes for Windows users and and also for hardware and ESXi virtual appliance users.
In a detailed blog post, researchers Josh Fleischer, Chris DiGiamo and Alex Pennino said the three flaws were run in conjunction to obtain admin access and execute code on a SonicWall ES device.
The attacker(s), who appeared to have complete knowledge of the device, used these vulnerabilities to install a backdoor, gain access to files and emails and move laterally within the target organisation's network.
The three vulnerabilities were listed as:
- CVE-2021-20021 (CVSS score 9.4) Unauthorised administrative account creation;
- CVE-2021-20022 (CVSS score 6.7) Post-authentication arbitrary file upload; and
- CVE-2021-20023 (CVSS score 6.7) Post-authentication arbitrary file read.
Fleischer, DiGiamo and Pennino wrote that they had found post-exploitation Web activity on an Internet-connected system in a customer's premises. This was isolated and examined for evidence to find out how the compromise had been effected.
SonicWall Email Security ecosystem overview. Courtesy SonicWall
"#SonicWall Researchers have shown how #ransomware could be installed remotely on an #IoT coffee machine. "— Kevin Beaumont (@GossiTheDog) April 20, 2021
Security vendors have a responsibility to customers to stop scaring up sales and start fixing their products. It's not unique to SonicWall.
"The system was quickly identified as a SonicWall Email Security application running on a standard Windows Server 2012 installation," they said. "The adversary-installed Web shell was being served through the HTTPS-enabled Apache Tomcat Web server bundled with SonicWall ES.
"Due to the Web shell being served in the application’s bundled Web server, we immediately suspected the compromise was associated with the SonicWall ES application itself."
Later, they found logs that showed the attacker(s) had tried to destroy evidence of the intrusion. However, other logs provided the evidence which the researchers sought.
How many companies challenge and test their vendors? Especially their security vendors. They *must* be good. Microsoft! They're amazing, we'd never challenge them.— Jon (@samuriinbred) April 20, 2021
Forcepoint/Citrix/SAP/Microsoft. All guilty of huge issues in the last 12 months.
The trio said this activity was being tracked as UNC2682. "An UNC group is a cluster of related cyber-intrusion activity, which includes observable artifacts such as adversary infrastructure, tools, and tradecraft, that we are not yet ready to give a classification such as APT [advanced persistent threat] or FIN [a type of port scan]," they said.
Two of the three flaws were notified to SonicWall on 26 March, acknowledged three days later, and fixes made available on 9 April. The third vulnerability was notified to SonicWall on 9 April and a patch was released on 19 April.
SonicWall has released a statement about the vulnerabilities on its website.