Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-27852: CERT/CC Vulnerability Note VU#706695

Deserialization of Untrusted Data vulnerability in CheckboxWeb.dll of Checkbox Survey allows an unauthenticated remote attacker to execute arbitrary code. This issue affects: Checkbox Survey versions prior to 7.

CVE
#vulnerability#web#mac#microsoft#auth#asp.net

Overview

Checkbox Survey prior to version 7.0 insecurely deserializes ASP.NET View State data, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable server.

Description

CVE-2021-27852 Checkbox Survey insecurely deserializes ASP.NET View State data.

Checkbox Survey is an ASP.NET application that can add survey functionality to a website. Prior to version 7.0, Checkbox Survey implements its own View State functionality by accepting a _VSTATE argument, which it then deserializes using LosFormatter. Because this data is manually handled by the Checkbox Survey code, the ASP.NET ViewState Message Authentication Code (MAC) setting on the server is ignored. Without MAC, an attacker can create arbitrary data that will be deserialized, resulting in arbitrary code execution.

This vulnerability is reportedly being exploited in the wild.

Impact

By making a specially-crafted request to a server that uses Checkbox Survey 6.x or earlier, a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the web server.

Solution****Apply an update

Starting with Checkbox Survey 7.0, View State data is not used. Therefore, Checkbox Survey versions 7.0 and later do not contain this vulnerability.

Remove Checkbox Survey versions older than 7

Checkbox is no longer developing Checkbox Survey version 6, so this version is no longer safe to use. If you are unable to update to an unaffected version of Checkbox Survey, this software should be removed from any systems that have it installed.

Acknowledgements

Thanks to the reporter who wishes to remain anonymous.

This document was written by Will Dormann.

Vendor Information

Filter by content: Additional information available

Sort by:

References

  • https://www.checkbox.com/
  • https://docs.microsoft.com/en-us/previous-versions/aspnet/bb386448(v=vs.100)
  • https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8
  • https://swapneildash.medium.com/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817

Other Information

CVE IDs:

CVE-2021-27852

Date Public:

2021-05-25

Date First Published:

2021-05-25

Date Last Updated:

2021-05-25 20:33 UTC

Document Revision:

1

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907