UNC2682 behind the Zero-day Exploit on SonicWall

Threat Advisories

UNC2682 behind the Zero-day Exploit on SonicWall

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here.

UNC2682 is using 3 formerly unknown vulnerabilities of the SonicWall Email services to get authenticated access(CVE-2021-20021), read files (CVE-2021-20022), and modify file(CVE-2021-20023). A Behinder Webshell is planted in the already existing Tomcat Java web server to gain additional information about the Network. These Vulnerabilities can move laterally infecting the whole organization. However, these vulnerabilities can be used in various ways to accomplish targets.

Sonic wall has released patches for all 3 vulnerabilities and applied the following IPS Signatures in all their active subscriptions:

•  IPS Signature: 15520 WEB-ATTACKS SonicWall Email Security (CVE-2021-20022 Vulnerability)

•  IPS Signature: 1067 WEB-ATTACKS Web Application Directory Traversal Attack 7

•  IPS Signature: 15509 WEB-ATTACKS Web Application Directory Traversal Attack 7 -c2

Vulnerability Details

Patch Links

https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0007
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0008
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2021-0010
References