- The CMS Sitecore had an account with a encoded password
- Threat actors could use it to load arbitrary files, achieving RCE
- Thousands of final points are potentially at risk
Sitecore Experience Platform, a business level management system (CMS) brought three vulnerabilities that, when they chain together, allowed the threat actors acquisition of vulnerable servers, experts warned.
Watchtowr cybersecurity researchers discovered that the first defect is a encoded password for an internal user, only one letter, 'B', which makes it very easy to guess.
The account has no administration privileges, but Watchtowr found that malicious users could be authenticated through an alternative login route, which would give authenticated access to internal final points.
Patching the defects
This prepares the scenario for the exploitation of the second defect, described as a “Zip Slip” in the Sitecore load assistant.
In a nutshell, the now authenticated attackers can load malicious files due to insufficient route sanitation and the way in which it is mapping the routes. As a result, they can write arbitrary files on the web root.
These two problems alone could be enough to cause serious damage to the compromised server, but the problems do not stop there.
If the website has the Sitecore Powershell Extensions (SPE) module, which is commonly grouped with SXA, attackers can load arbitrary files on specific routes, without going through extension or location restrictions and cause a “reliable RCE”.
All sitecore versions from 10.1 to 10.4 are apparently vulnerable, which translates into approximately 22,000 publicly exposed instances, at the time of publication, but only because all are accessible and execute these versions, it does not necessarily mean that they are all vulnerable.
“Sitecore unfolds in thousands of environments, including banks, airlines and global companies, so the radius of explosion here is massive,” said the Watchtowr CEO, Benjamin Harris Bleepingcomputer.
“And no, this is not theoretical: we have executed the complete chain, from extreme to extreme. If you are running, it does not worsen that this: it turns credits and patch immediately before the attackers inevitably re -falling the engineering engineering.”
So far there were no reports of abuse in nature, but now there is an available patch, so users must update as soon as possible.
