9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
80.9%
A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host.
Recent assessments:
wvu-r7 at April 28, 2021 11:04pm UTC reported:
CVE-2021-20021 is being exploited in the wild to gain admin access to SonicWall Email Security appliances. RCE typically follows.
The vulnerable endpoint /createou
is implemented as follows:
<servlet-mapping>
<servlet-name>createou</servlet-name>
<url-pattern>/createou</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>createou</servlet-name>
<servlet-class>com.mailfrontier.msgcenter.app.api.hosted.ActivateAccount</servlet-class>
<init-param>
<param-name>Method</param-name>
<param-value>ActivateHES</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
public void doBoth(HttpServletRequest request, HttpServletResponse response) throws IOException {
Log.info("Request received to create OU.");
String inputXML = request.getParameter("data");
String methodName = getInitParameter("Method");
if (null == inputXML) {
inputXML = readRequest(request);
}
if (StringUtil.isEmpty(inputXML)) {
String str = HostedConfigurationManager.generateResponseXML("FAILURE", methodName, "100", "Input XML is empty.");
sendResonse(str, response);
return;
}
HostedConfigurationManager hostedMgr = new HostedConfigurationManager();
String outputXML = null;
if ("ActivateHES".equals(methodName)) {
outputXML = hostedMgr.createAccount(inputXML, request.getLocale());
}
else if ("DeleteHES".equals(methodName)) {
outputXML = hostedMgr.deleteOUAccount(inputXML);
}
else if ("ResetPasswordHES".equals(methodName)) {
outputXML = hostedMgr.resetOUPassword(inputXML);
}
else if ("ActivateServiceHES".equals(methodName)) {
outputXML = hostedMgr.activateService(inputXML);
} else {
return;
}
sendResonse(outputXML, response);
}
And hereβs how you can check for the vuln:
wvu@kharak:~$ curl -v http://192.168.123.250/createou -d data=
* Trying 192.168.123.250...
* TCP_NODELAY set
* Connected to 192.168.123.250 (192.168.123.250) port 80 (#0)
> POST /createou HTTP/1.1
> Host: 192.168.123.250
> User-Agent: curl/7.64.1
> Accept: */*
> Content-Length: 5
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 5 out of 5 bytes
< HTTP/1.1 200
< pragma: public
< Cache-Control: public
< Content-Type: text/xml
< Content-Length: 280
< Date: Wed, 28 Apr 2021 07:46:54 GMT
<
<?xml version="1.0" encoding="UTF-8"?>
<RESPONSE>
<COMPONENT>HOSTEDES</COMPONENT>
<METHOD>ActivateHES</METHOD>
<OUTPUT_XML>
<RESPONSESTATUS>FAILURE</RESPONSESTATUS>
<ERRORNUMBER>100</ERRORNUMBER>
<ERRORDESCRIPTION>Input XML is empty.</ERRORDESCRIPTION>
</OUTPUT_XML>
</RESPONSE>
* Connection #0 to host 192.168.123.250 left intact
* Closing connection 0
wvu@kharak:~$
The following XML strings are particularly significant:
<COMPONENT>HOSTEDES</COMPONENT>
<METHOD>ActivateHES</METHOD>
<ERRORDESCRIPTION>Input XML is empty.</ERRORDESCRIPTION>
Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 5
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.009 Low
EPSS
Percentile
80.9%