CVE-2019-10068: RCE as Administrator via deserialization vulnerability in Kentico CMS 12.0.14.
Aon’s Cyber Solutions Security Testing team recently discovered a vulnerability, CVE-2019-10068, in the Kentico CMS platform versions 12.0.14 and earlier. This issue allows for unauthenticated remote code execution through a deserialization vulnerability in the staging service. A fix is available in the current version, 12.0.15. This vulnerability was discovered by Manoj Cherukuri and Justin LeMay. Exploit code is currently being withheld.
Aon’s Cyber Solutions would like to thank Kentico for working with us as part of our coordinated disclosure process to quickly remediate this vulnerability.
Timeline:
- 03/13/2019 – Issue disclosed to Kentico
- 03/14/2019 – Receipt acknowledged
- 03/20/2019 – Vulnerability confirmed by Kentico
- 03/22/2019 – Patch released in version 12.0.15
- 04/15/2019 – Public disclosure
Vendor Advisory/Patch:
https://devnet.kentico.com/download/hotfixes#securityBugs-v12
Details:
The Kentico CMS application is vulnerable to a .NET object deserialization vulnerability that allows attackers to perform remote code execution and obtain unauthorized remote access. An XML encoded SOAP message within an element of the actual SOAP body was being deserialized by a SOAP Action within the staging web service. The staging service is used by the application to synchronize changes between different environments or servers.
The identified vulnerable web service is installed by default and can be exploited under the default configuration. Although the deserialization of the payload sent for synchronization is expected to happen post-authentication and only when the staging service is enabled (disabled by default), the application allows deserialization of the payload even if both these conditions are not satisfied when parsing a specially-crafted request. The only requirement for exploitation of this issue is that the staging service must use username-based authentication, which is the default configuration.
