CVE-2021-20025: SonicWall Email Security Appliance Backdoor Credential

CVE-2021-20025: SonicWall Email Security Appliance Backdoor Credential

The virtual, on-premises version of the SonicWall Email Security Appliance ships with an undocumented, static credential, which can be used by an attacker to gain root privileges on the device. This is an instance of CWE-798: Use of Hard-coded Credentials, and has an estimated CVSSv3 score of 9.1. This issue was fixed by the vendor in version 10.0.10, according to the vendor's advisory, SNWLID-2021-0012.

Product Description

The SonicWall Email Security Virtual Appliance is a solution which "defends against advanced email-borne threats such as ransomware, zero-day threats, spear phishing and business email compromise (BEC)." It is in use in many industries around the world as a primary means of preventing several varieties of email attacks. More about SonicWall's solutions can be found at the vendor's website.

Credit

This issue was discovered by William Vu (@wvuuuuuuuuu) of Rapid7, and is being disclosed in accordance with Rapid7's vulnerability disclosure policy.

Exploitation

The session capture detailed below illustrates using the built-in SSH management interface to connect to the device as the root user with the password, "sonicall".

wvu@kharak:~$ ssh -o stricthostkeychecking=no -o userknownhostsfile=/dev/null ..

Support the originator by clicking the read the rest link below.