Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
2

CVE-2021-20021

Disclosure Date: April 09, 2021
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.

Add Assessment

3
Ratings
Technical Analysis

CVE-2021-20021 is being exploited in the wild to gain admin access to SonicWall Email Security appliances. RCE typically follows.

The vulnerable endpoint /createou is implemented as follows:

  <servlet-mapping>
   <servlet-name>createou</servlet-name>
   <url-pattern>/createou</url-pattern>
  </servlet-mapping>
  <servlet>
   <servlet-name>createou</servlet-name>
   <servlet-class>com.mailfrontier.msgcenter.app.api.hosted.ActivateAccount</servlet-class>
   <init-param>
     <param-name>Method</param-name>
     <param-value>ActivateHES</param-value>
    </init-param>
   <load-on-startup>1</load-on-startup>
  </servlet>
  public void doBoth(HttpServletRequest request, HttpServletResponse response) throws IOException {
    Log.info("Request received to create OU.");
    String inputXML = request.getParameter("data");
    String methodName = getInitParameter("Method");

    if (null == inputXML) {
      inputXML = readRequest(request);
    }

    if (StringUtil.isEmpty(inputXML)) {
      String str = HostedConfigurationManager.generateResponseXML("FAILURE", methodName, "100", "Input XML is empty.");
      sendResonse(str, response);

      return;
    }
    HostedConfigurationManager hostedMgr = new HostedConfigurationManager();

    String outputXML = null;
    if ("ActivateHES".equals(methodName)) {
      outputXML = hostedMgr.createAccount(inputXML, request.getLocale());
    }
    else if ("DeleteHES".equals(methodName)) {
      outputXML = hostedMgr.deleteOUAccount(inputXML);
    }
    else if ("ResetPasswordHES".equals(methodName)) {
      outputXML = hostedMgr.resetOUPassword(inputXML);
    }
    else if ("ActivateServiceHES".equals(methodName)) {
      outputXML = hostedMgr.activateService(inputXML);
    } else {
      return;
    }


    sendResonse(outputXML, response);
  }

And here’s how you can check for the vuln:

wvu@kharak:~$ curl -v http://192.168.123.250/createou -d data=
*   Trying 192.168.123.250...
* TCP_NODELAY set
* Connected to 192.168.123.250 (192.168.123.250) port 80 (#0)
> POST /createou HTTP/1.1
> Host: 192.168.123.250
> User-Agent: curl/7.64.1
> Accept: */*
> Content-Length: 5
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 5 out of 5 bytes
< HTTP/1.1 200
< pragma: public
< Cache-Control: public
< Content-Type: text/xml
< Content-Length: 280
< Date: Wed, 28 Apr 2021 07:46:54 GMT
<
<?xml version="1.0" encoding="UTF-8"?>
<RESPONSE>
<COMPONENT>HOSTEDES</COMPONENT>
<METHOD>ActivateHES</METHOD>
<OUTPUT_XML>
<RESPONSESTATUS>FAILURE</RESPONSESTATUS>
<ERRORNUMBER>100</ERRORNUMBER>
<ERRORDESCRIPTION>Input XML is empty.</ERRORDESCRIPTION>
</OUTPUT_XML>
</RESPONSE>
* Connection #0 to host 192.168.123.250 left intact
* Closing connection 0
wvu@kharak:~$

The following XML strings are particularly significant:

  • <COMPONENT>HOSTEDES</COMPONENT>
  • <METHOD>ActivateHES</METHOD>
  • <ERRORDESCRIPTION>Input XML is empty.</ERRORDESCRIPTION>
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • sonicwall

Products

  • email security,
  • hosted email security

Additional Info

Technical Analysis