Researchers at security firm Mandiant Managed Defense were first to identify the three vulnerabilities, which were being actively exploited in the wild. In a blog post, the researchers described the attack made possible by the vulnerabilities.
They note that the flaws were chained and executed in conjunction by the threat actors in order to gain administrative access and code execution permissions on a SonicWall ES device.
We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.
The good news, though, is that all three vulnerabilities have now been patched.
“It is imperative that organizations using SonicWall Email Security hardware appliances, virtual appliances or software installation on Microsoft Windows Server immediately upgrade to the respective SonicWall Email Security version,” said SonicWall.
One of the vulnerabilities, tracked as CVE-2021-20021, has a very high Common Vulnerability Scoring System (CVSS) rating of 9.4/10, as it can be exploited to create an administrative account by sending a crafted HTTP request to the remote host.
Mandiant researchers became aware of the vulnerabilities while investigating a post-exploitation backdoor in a customer’s SonicWall Email Security instance running atop a Windows Server 2012 installation.
They note that the attackers had intimate knowledge of the SonicWall application and used a combination of all the three exploits interchangeably to not just install a backdoor, but also access files and emails, and traverse the victim organization’s network.
SonicWall, for its part, has provided step-by-step instructions to enable its customers to apply the security update in order to mitigate the vulnerabilities.