- The CMS SiteCore had an account with a hard coded password
- Threat actors could use it to download arbitrary files, making RCE
- Thousands of termination criteria are potentially at risk
SiteCore Experience Platform, a business level content management system (CMS) has brought three vulnerabilities which, when chained, allowed the threat actors to take full control of vulnerable servers, the experts warned.
Watchtowr cybersecurity researchers have discovered that the first defect is a hard -coded password for an internal user – a single letter – ‘B’ – making it super easy to guess.
The account has no administration privileges, but Watchtowr has found that malicious users could self -add up via another connection path, which would give them authenticated access to internal termination points.
Post defects
This opens the land for the operation of the second defect, described as a “zip shift” in the site of SiteCore download.
In a word, the now authenticated attackers can download malware due to the sanitation of the insufficient path and the way in which the site of SiteCore card. As a result, they can write arbitrary files in the webroot.
These two problems alone could be sufficient to cause serious damage to the compromised server, but the problems do not stop there.
If the website offers the SPELOSE MODULE (SPE) SITECORE POWERSHELL installed, which is generally grouped with SXA, the attackers can download arbitrary files on specific paths, by bypassing extension or location restrictions and causing a “reliable RCE”.
All site -core versions from 10.1 to 10.4 are apparently vulnerable, which results in around 22,000 instances exposed publicly, at the time of the press – but simply because they are all accessible and execute these versions, this does not necessarily mean that they are all vulnerable.
“SiteCore is deployed in thousands of environments, including banks, airlines and global companies – so the breath of breath here is massive,” said Benjamin Harris, CEO of Watchtowr, told Watchtowr Bleeping Compompute.
“And no, it is not theoretical: we have executed the complete chain, from start to finish. If you execute sitecore, it does not worsen that – turns the credits and the patch immediately before the attackers inevitably indicated the fix.”
Until now, there has been no abuse report in nature, but a fix is available now, so users should update as soon as possible.
