fbpx

This website uses cookies to ensure you get the best experience. More Information

Kentico CMS 5.5 R2 Critical Vulnerability

8 March 2021 - by Obrela LABS

Anastasios Stasinopoulos from Obrela LABS team discovered a critical risk vulnerability that affects Kentico CMS, a popular ASP.NET web content management system that is used to build websites, online stores and Web 2.0 community sites.

 

More specifically, Kentico CMS 5.5 R2 build 5.5.3996 was found vulnerable to SQL injection attacks on a specific parameter, allowing a potential attacker – without requiring authentication – to interact with the backend Microsoft SQL server database.

Successful exploitation of this vulnerability allows unauthorized access/modification/deletion of the stored data in the backend database and if specific conditions are met can be also leveraged to complete compromise of the underlying operating system that hosts Kentico.

The software vendor has been informed by Obrela LABS prior to public disclosure of the vulnerability which was registered afterwards with a CVE record: CVE-2021-27581 .

According to software vendor response it is advised to update Kentico CMS to the latest version that is not vulnerable to this security flaw.

 

The vulnerability was exploited using the sqlmap tool:

* Sample url: https://target.com/blog?tagname=test&groupid=1

* Vulnerable parameter: tagname

* Type: time-based blind sql injection

* Sample payload: tagname=test’+(SELECT CHAR(118)+CHAR(103)+CHAR(85)+CHAR(89) WHERE 1718=1718 AND 6176=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7))+’&groupid=1

 

Discovery and public disclosure timeline

  • 2021-02-22 – Discovery
  • 2021-02-23 – Vendor Contact
  • 2021-02-23 – Vendor Triaged Vulnerability
  • 2021-02-23 – MITRE Assigned CVE

LATEST UPDATES

VMware vulnerabilities advisory

25 February 2021 - by Obrela SOC

On February 23, VMware issued a security advisory (VMSA-2021-0002) regarding 3 vulnerabilities affecting VMware ESXi, VMware vCenter Server, and VMware Cloud Foundation. According to open source intelligence, it is estimated that more than 6.700 systems are vulnerable

 

Vmware vCenter Server RCE in vSphere Client (CVE-2021-21972)

The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

Severity: 9.8 (Critical)

Affected versions: 7.0, 6.7, 6.5

Suggested resolution steps: https://kb.vmware.com/s/article/82374

 

ESXi heap overflow (CVE-2021-21974)

A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution.

Severity: 8.8 (Important)

Affected versions: 7.0, 6.7, 6.5

Suggested resolution steps: https://kb.vmware.com/s/article/76372

 

Vmware vCenter Server SSRF in vSphere Client (CVE-2021-21973)

A malicious actor with network access to port 443 may exploit this issue by sending a POST request to vCenter Server plugin leading to information disclosure.

Severity: 5.3 (Moderate)

Affected versions: 7.0, 6.7, 6.5

Suggested resolution steps: https://kb.vmware.com/s/article/82374

 

Mitigation

Updates are available to remediate these vulnerabilities in affected VMware products, however only the provided steps ensure temporary mitigation. It is advised to perform the provided workarounds for each vulnerability separately, as soon as possible as exploitation proof of concept scripts are now publicly available for both Windows and Linux targets.

LATEST UPDATES