2021 was open season on SonicWall's appliances, remote access and email alike

SonicWall had a rough 2021. Two different appliance lines came under zero-day attack: the SMA/SRA Secure Mobile Access remote-access gateways, and the SonicWall Email Security product. The catalog holds seven of the resulting CVEs, CVE-2021-20016, CVE-2021-20028, CVE-2021-20038, and CVE-2019-7481 on the SMA/SRA side, and CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023 on the Email Security side. Several were exploited before patches were available, by ransomware operators and nation-state actors.

The two fronts

• SMA/SRA remote-access appliances. CVE-2021-20016 is a SQL injection in the SMA100 SSL-VPN that the UNC2447 group (linked to HelloKitty and FiveHands ransomware) used as a zero-day for initial access. CVE-2021-20038 is a stack buffer overflow on SMA100 enabling unauthenticated RCE. CVE-2021-20028 (SRA SQLi) and CVE-2019-7481 (SMA100 SQLi) round out the remote-access set, and notably some affected the SRA line, which SonicWall had moved to end-of-life, so the fix for certain devices is replacement, not just patching.
• Email Security. CVE-2021-20021 (privilege escalation / admin account creation), CVE-2021-20022 (file upload), and CVE-2021-20023 (path traversal) were chained, as Mandiant documented, by a threat actor to gain administrative access and plant web shells on SonicWall Email Security appliances, as a zero-day.

CISA lists these with the ransomware flag. The pattern is the familiar one: internet-facing security appliances, exploited fast, used by both ransomware crews and APTs.

The lessons

These reinforce points the rest of the catalog keeps making, applied to one vendor in one bad year:

• Security appliances are prime targets, ironically. The devices you deploy to secure remote access and email are themselves internet-facing servers with exploitable bugs, and attackers go after them precisely because they’re trusted and well-placed.
• Zero-day exploitation means patching alone isn’t the whole defense. Several of these were used before patches existed. Reducing exposure (keeping management and unnecessary services off the internet) and detection (web shells, rogue admin accounts) carry the load in the zero-day window.
• End-of-life appliances have no patch path. The SRA line being EOL means some affected devices can only be remediated by replacement, the recurring EOL-edge-device problem.

What to do

• Patch SonicWall SMA/SRA and Email Security to current, and retire any end-of-life SRA hardware, there’s no fix coming for dead appliances.
• Restrict and minimize exposure. Keep management interfaces off the open internet, enforce MFA on SMA SSL-VPN, and limit which networks can reach these appliances.
• Hunt for the documented post-exploitation. On SMA/SRA, look for unauthorized VPN sessions and the ransomware staging UNC2447 used; on Email Security, look for unexpected admin accounts and web shells. These were zero-days, so an appliance exposed in 2021 should be investigated, not assumed clean.
• Reset credentials the appliances held if you were exposed, given the SQLi/credential-access nature of several bugs.
• Keep offline backups so a HelloKitty/FiveHands-style intrusion through these appliances doesn’t take your recovery with it.

The reframe is to treat your security appliances, VPN gateways and email-security devices alike, as high-value internet-facing servers that attackers will hit as zero-days, not as set-and-forget protective gear. SonicWall’s 2021 shows both fronts going at once. Patch and retire EOL, shrink exposure, hunt for implants in the zero-day window, and reset what the bugs could have taken. We track the SonicWall entries across product lines because the attackers treated the whole appliance fleet as a target set.

Sources

• CISA Known Exploited Vulnerabilities Catalog
• NVD CVE-2021-20016 — 2021
• Mandiant: SonicWall Email Security zero-day exploitation (CVE-2021-20021/20022/20023) — 2021-04
• SonicWall PSIRT advisories — 2021
• NVD CVE-2021-20038 — 2021-12