Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

MNDT-2021-0012

The Acclaim USAHERDS web application 7.4.0.1 and Earlier, builds prior to November 2021, used static ValidationKey and DecryptionKey values.

Common Weakness Enumeration

CWE-798: Use of Hard-coded Credentials

Impact

High - Knowledge of the ValidationKey and DecryptionKey can be used to achieve Remote Code Execution on the system that runs the application.

Exploitability

Low - The ValidationKey and DecryptionKey values would need to be obtained via a separate vulnerability or other channel.

CVE Reference

CVE-2021-44207

Technical Details

These keys are used to provide security for the application ViewState. A threat actor with knowledge of these keys can trick the application server into deserializing maliciously crafted ViewState data. A threat actor with knowledge of the validationKey and decryptionKey for a web application can construct a malicious ViewState that passes the MAC check and will be deserialized by the server. This deserialization can result in the execution of code on the server.

Discovery Credits

Douglas Bienstock, Mandiant

Disclosure Timeline

  • 2021-11-23 - Issue reported to developer. Developer confirmed a patch had recently been released for the same issue.

References