CVE-2021-20023

What is SonicWall Email Security?

SonicWall Email Security is an enterprise email gateway platform for anti-spam, anti-malware, and email filtering. Deployed as a hardware appliance, virtual appliance, or software installation on Windows Server, it sits between the internet and internal mail servers to inspect and filter inbound and outbound email. Because email gateways are internet-facing and process all inbound mail, they are high-value targets — compromise gives attackers persistent access to email traffic and an internal network foothold. SonicWall Email Security runs with administrator-level privileges and can access the file system of the host server.

Overview

CVE-2021-20023 is a path traversal vulnerability (CWE-22) in SonicWall Email Security that allows a post-authenticated attacker with administrator privileges to read arbitrary files from the server. While this standalone has limited impact (requires existing admin access), it is the third component of a three-CVE exploit chain: CVE-2021-20021 (account creation without authentication — creating a new admin account) + CVE-2021-20022 (post-auth OS command execution / web shell upload) + CVE-2021-20023 (path traversal for credential/config file exfiltration). Mandiant discovered UNC2682 actively exploiting this chain in the wild prior to patching. SonicWall released patches April 9, 2021.

Affected Versions

Technical Details

• Root cause: Path traversal (CWE-22) in a file access function within SonicWall Email Security's administrative interface — user-supplied file path parameters are not adequately sanitized, allowing directory traversal sequences (../) that navigate outside the intended accessible directory; an authenticated admin can read files from arbitrary locations on the host filesystem
• Chain role (post-auth file read): CVE-2021-20023 complements the exploit chain: after CVE-2021-20021 creates an admin account and CVE-2021-20022 establishes code execution, CVE-2021-20023 allows reading configuration files (such as mail server credentials, API keys, SSL certificates, or internal system configurations) to facilitate lateral movement
• UNC2682 exploitation: Mandiant attributed exploitation to UNC2682, a threat actor that used the three-CVE chain to implant BEHINDER web shells, harvest credentials from the Email Security host, and pivot to internal network infrastructure
• PR:H in chain context: The path traversal requires administrative credentials, but CVE-2021-20021 provides those credentials without authentication — making the effective chain requirement PR:N (no real authentication needed)
• C:H impact: Reading arbitrary files can expose private SSH keys, stored mail server credentials, LDAP bind credentials used for email authentication, SSL/TLS private keys, and other sensitive data stored on the Email Security appliance

Discovery

Discovered by Mandiant (then FireEye Mandiant) during incident response investigations detecting active exploitation by UNC2682. Mandiant notified SonicWall, which released patches on April 9, 2021 — during active exploitation. The simultaneous patch release for all three CVEs reflects that SonicWall treated the three-CVE chain as a unified security incident. Mandiant's public disclosure documented the full exploitation timeline including web shell deployment and credential harvesting.

Exploitation Context

The SonicWall Email Security three-CVE chain (CVE-2021-20021 + CVE-2021-20022 + CVE-2021-20023) is significant because it targeted a security appliance that defenders trust for mail protection. Compromising an email security gateway gives attackers: (1) persistent access to all inbound/outbound email traffic, (2) a trusted network foothold behind email filtering infrastructure, (3) access to mail server credentials enabling further pivot to Exchange or O365, and (4) the ability to suppress email security alerts about ongoing attacks. UNC2682's use of BEHINDER web shells (a Chinese-language web shell popular with APT actors) suggests nation-state-level adversaries in the exploitation timeline.

Remediation

1. Apply SonicWall Email Security 10.0.9.6173 or later — patches all three CVEs (CVE-2021-20021, CVE-2021-20022, CVE-2021-20023) simultaneously
2. Immediately check for unauthorized administrator accounts in the Email Security admin console — CVE-2021-20021 allows unauthenticated account creation; any accounts not recognized by administrators should be removed
3. Search for web shells in Email Security application directories; check web-accessible paths for unexpected .jsp, .aspx, or script files (BEHINDER web shells in particular)
4. Rotate all credentials accessible from the Email Security appliance: mail server accounts, LDAP bind credentials, API keys, and SSL private keys
5. Review Email Security logs for evidence of path traversal attempts or suspicious admin API calls
6. Restrict administrative access to the Email Security management interface to specific IP addresses; disable internet-facing administrative access