MNDT-2021-0012
The Acclaim USAHERDS web application 7.4.0.1 and Earlier, builds prior to November 2021, used static ValidationKey and DecryptionKey values.
Common Weakness Enumeration
CWE-798: Use of Hard-coded Credentials
Impact
High - Knowledge of the ValidationKey and DecryptionKey can be used to achieve Remote Code Execution on the system that runs the application.
Exploitability
Low - The ValidationKey and DecryptionKey values would need to be obtained via a separate vulnerability or other channel.
CVE Reference
CVE-2021-44207
Technical Details
These keys are used to provide security for the application ViewState. A threat actor with knowledge of these keys can trick the application server into deserializing maliciously crafted ViewState data. A threat actor with knowledge of the validationKey and decryptionKey for a web application can construct a malicious ViewState that passes the MAC check and will be deserialized by the server. This deserialization can result in the execution of code on the server.
Discovery Credits
Douglas Bienstock, Mandiant
Disclosure Timeline
- 2021-11-23 - Issue reported to developer. Developer confirmed a patch had recently been released for the same issue.