Attacker Value
Very High
CVE-2021-20021
CVE-2021-20021
(Last updated October 07, 2023) ▾
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Description
A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.
Add Assessment
3
Technical Analysis
CVE-2021-20021 is being exploited in the wild to gain admin access to SonicWall Email Security appliances. RCE typically follows.
The vulnerable endpoint /createou is implemented as follows:
<servlet-mapping> <servlet-name>createou</servlet-name> <url-pattern>/createou</url-pattern> </servlet-mapping>
<servlet> <servlet-name>createou</servlet-name> <servlet-class>com.mailfrontier.msgcenter.app.api.hosted.ActivateAccount</servlet-class> <init-param> <param-name>Method</param-name> <param-value>ActivateHES</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet>
public void doBoth(HttpServletRequest request, HttpServletResponse response) throws IOException { Log.info("Request received to create OU."); String inputXML = request.getParameter("data"); String methodName = getInitParameter("Method"); if (null == inputXML) { inputXML = readRequest(request); } if (StringUtil.isEmpty(inputXML)) { String str = HostedConfigurationManager.generateResponseXML("FAILURE", methodName, "100", "Input XML is empty."); sendResonse(str, response); return; } HostedConfigurationManager hostedMgr = new HostedConfigurationManager(); String outputXML = null; if ("ActivateHES".equals(methodName)) { outputXML = hostedMgr.createAccount(inputXML, request.getLocale()); } else if ("DeleteHES".equals(methodName)) { outputXML = hostedMgr.deleteOUAccount(inputXML); } else if ("ResetPasswordHES".equals(methodName)) { outputXML = hostedMgr.resetOUPassword(inputXML); } else if ("ActivateServiceHES".equals(methodName)) { outputXML = hostedMgr.activateService(inputXML); } else { return; } sendResonse(outputXML, response); }
And here’s how you can check for the vuln:
wvu@kharak:~$ curl -v http://192.168.123.250/createou -d data= * Trying 192.168.123.250... * TCP_NODELAY set * Connected to 192.168.123.250 (192.168.123.250) port 80 (#0) > POST /createou HTTP/1.1 > Host: 192.168.123.250 > User-Agent: curl/7.64.1 > Accept: */* > Content-Length: 5 > Content-Type: application/x-www-form-urlencoded > * upload completely sent off: 5 out of 5 bytes < HTTP/1.1 200 < pragma: public < Cache-Control: public < Content-Type: text/xml < Content-Length: 280 < Date: Wed, 28 Apr 2021 07:46:54 GMT < <?xml version="1.0" encoding="UTF-8"?> <RESPONSE> <COMPONENT>HOSTEDES</COMPONENT> <METHOD>ActivateHES</METHOD> <OUTPUT_XML> <RESPONSESTATUS>FAILURE</RESPONSESTATUS> <ERRORNUMBER>100</ERRORNUMBER> <ERRORDESCRIPTION>Input XML is empty.</ERRORDESCRIPTION> </OUTPUT_XML> </RESPONSE> * Connection #0 to host 192.168.123.250 left intact * Closing connection 0 wvu@kharak:~$
The following XML strings are particularly significant:
<COMPONENT>HOSTEDES</COMPONENT>
<METHOD>ActivateHES</METHOD>
<ERRORDESCRIPTION>Input XML is empty.</ERRORDESCRIPTION>
CVSS V3 Severity and Metrics
Data provided by the National Vulnerability Database (NVD)
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High
General Information
Vendors
- sonicwall
Products
- email security,
- hosted email security
Exploited in the Wild
References
