Yesterday (January 25, 2022) on security twitter drama, we find a threat actor, alleged DarkSide and LockBit affiliate that goes by the name "Wazawaka" (aka "MazeFucke"), shared exploit code for a vulnerability in SonicWall SRA Appliances (CVE-2021-20028) in retaliation for Brian Krebs recently doxing Waza. There has been no evidence of exploitation in wild or any other proof of concept (PoC) exploit code for this vulnerability until today.
CVE-2021-20028: Improper neutralization of special elements used in an SQL command leading to SQL injection vulnerability impacting end-of-life SRA appliances.
Affected: 8.x, 9.0.0.9-26sv and earlier
CVSS: 9.8
The exploit code begins searching for the URI paths and response artifacts to identify vulnerable SonicWall SRA versions. It then targets those verified devices to leak user session data from the SQL instance.
Older SRA appliances (< 9.x/10.x) were being targeted with the following SQL Injection (SQLi) string to the '/cgi-bin/supportInstaller' endpoint.
UNION SELECT 1,2,userType||'#'||domainName,sessionid,userName,password,7,8 from Sessions LIMIT {:digit:},1 --
Newer versions (> 9.x/10.x) received this SQLi to the '/cgi-bin/extendauthentication' enpoint.
UNION SELECT userType||'#'||sessionid||'#'||userName||'#'||password||'#'||domainName from Sessions LIMIT {:digit:},1;
The users' passwords returned in the SQL data is sent to a decryption function containing keys to decrypt DES encrypted strings. Assuming the nature of the script is for mass scanning and exploitation, it is possible the keys mentioned in the exploit code are default keys for SRA appliances for user session stored passwords.
The session data is saved locally and then used to download the “persist.db” database by targeting the endpoint '/cgi-bin/sslvpnclient'.
{'scriptdownload': '../../../../../../usr/src/EasyAccess/var/conf/persist.db', 'epcversionquery': '0'}
The exploit code finishes by extracting more users’ credentials, locally, from the downloaded “persist.db” which could contain users’ credentials used in Active Directory, LDAP, RADIUS, and SSO.
After reviewing the exploit code, the CRU has not seen any signs of mass exploitation at this time. We will continue to monitor and keep the community up to date on any new information we discover.
The CRU has pushed out the following signatures for network detection that will trigger when a threat actor attempts to this SonicWall SRA Appliance vulnerability.
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"[ConnectWise CRU] Sonicwall SRA > 9.x/10.x SQLi (CVE-2021-20028"; flow:established, to_server; http.method; content:"POST"; http.uri; content:"/cgi-bin/extendauthentication"; http.request_body; content:"extendid"; content:"SELECT"; distance:0; content:"Sessions"; distance:0; flowbits:set,cru-sra-2021-20028; tag:session,5,packets; classtype:web-application-activity; sid:900553; rev:1; metadata: created_at 2022_01_26, updated_at 2022_01_26, cve CVE_2021_20028, mitre_tactic_id TA0001, mitre_tactic_name Intial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"[ConnectWise CRU] Sonicwall SRA < 9.x/10.x SQLi (CVE-2021-20028)"; flow:established, to_server; http.method; content:"POST"; http.uri; content:"/spog/welcome"; http.request_body; content:"customerTID"; content:"SELECT"; distance:0; content:"Sessions"; distance:0; flowbits:set,cru-sra-2021-20028;
tag:session,5,packets; classtype:web-application-activity; sid:900554; rev:1; metadata: created_at 2022_01_26, updated_at 2022_01_26, cve CVE_2021_20028, mitre_tactic_id TA0001, mitre_tactic_name Intial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[ConnectWise CRU] Sonicwall SRA > 9.x/10.x SQLi Response (CVE-2021-20028)"; flow:established, to_client; http.header; content:"Set-Cookie"; content:"swap="; distance:0; flowbits:isset,cru-sra-2021-20028; tag:session,5,packets; classtype:web-application-activity; sid:900555; rev:1; metadata: created_at 2022_01_26, updated_at 2022_01_26, cve CVE_2021_20028, mitre_tactic_id TA0001, mitre_tactic_name Intial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"[ConnectWise CRU] Sonicwall SRA < 9.x/10.x SQLi Response (CVE-2021-20028)"; flow:established, to_client; http.response_body; content:"var username"; content:"var portalname"; content:"var expertname"; content:"var supportcode"; flowbits:isset,cru-sra-2021-20028; tag:session,5,packets; classtype:web-application-activity; sid:900556; rev:1; metadata: created_at 2022_01_26, updated_at 2022_01_26, cve CVE_2021_20028, mitre_tactic_id TA0001, mitre_tactic_name Intial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)