CVE-2018-15812
published 2019-07-03CVE-2018-15812: DNN (aka DotNetNuke) 9.2 through 9.2.1 incorrectly converts encryption key source values, resulting in lower than expected entropy.
PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
46.55%
98.7th percentile
DNN (aka DotNetNuke) 9.2 through 9.2.1 incorrectly converts encryption key source values, resulting in lower than expected entropy.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dnnsoftware | dotnetnuke | 9.2 – 9.2.2 | — |
| dnnsoftware | dotnetnuke | 9.2 – 9.2.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
otherExpandedWrapperOfObjectStateFormatterObjectDataProvider
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)"; flow:established,to_server; content:"ExpandedWrapperOfObjectStateFormatterObjectDataProvider"; fast_pattern; http.cookie; content:"DNNPersonalization="; nocase; content:"<profile"; nocase; content:"MethodName"; nocase; distance:0; content:"Deserialize"; nocase; distance:0; content:"MethodParameters"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/48336; reference:cve,2017-9822; reference:cve,2018-15811; reference:cve,2018-18326; reference:cve,2018-18325; reference:cve,2018-15812; classtype:attempted-admin; sid:2034308; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2018_15811, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_11_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →Inspect HTTP cookies for the presence of 'DNNPersonalization=' containing XML with '<profile', 'MethodName', 'Deserialize', and 'MethodParameters' — this is the deserialization exploit payload pattern.
- →The exploit triggers cookie processing by requesting a path that results in a DNN 404 response (default: '/__'). Monitor for requests to non-existent DNN paths accompanied by a malformed DNNPersonalization cookie. ↗
- →For DNN versions 9.2.0+, the exploit requires an authenticated session (.DOTNETNUKE cookie). Correlate authenticated sessions with suspicious DNNPersonalization cookie content. ↗
- →The string 'ExpandedWrapperOfObjectStateFormatterObjectDataProvider' in an HTTP cookie is a high-fidelity indicator of active exploitation of this deserialization chain.
- ·Encryption of the DNNPersonalization cookie payload is only required for DNN versions 9.2.0 and above. Versions 5.0.0 through 9.1.1 accept unencrypted payloads, broadening the detection surface for those versions. ↗
- ·CVE-2018-15812 relates to incorrect conversion of encryption key source values resulting in lower than expected entropy, meaning brute-forcing the encryption key for the cookie is more feasible than expected on DNN 9.2–9.2.2. ↗
- ·The Snort/ET rule (sid:2034308) references both CVE-2018-15811 and CVE-2018-15812 together, as the exploit chain leverages both the weak key entropy and the deserialization vulnerability. Detections should account for both CVEs.
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
ghsa7.5HIGH
osv7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Insufficient Entropy in DotNetNuke
osv·2019-07-05
CVE-2018-15812 [HIGH] Insufficient Entropy in DotNetNuke
Insufficient Entropy in DotNetNuke
DNN (aka DotNetNuke) 9.2 through 9.2.1 incorrectly converts encryption key source values, resulting in lower than expected entropy.
GHSA
Insufficient Entropy in DotNetNuke
ghsa·2019-07-05·CVSS 7.5
CVE-2018-18326 [HIGH] CWE-331 Insufficient Entropy in DotNetNuke
Insufficient Entropy in DotNetNuke
DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists because of an incomplete fix for CVE-2018-15812.
OSV
Insufficient Entropy in DotNetNuke
osv·2019-07-05·CVSS 7.5
CVE-2018-18326 [HIGH] Insufficient Entropy in DotNetNuke
Insufficient Entropy in DotNetNuke
DNN (aka DotNetNuke) 9.2 through 9.2.2 incorrectly converts encryption key source values, resulting in lower than expected entropy. NOTE: this issue exists because of an incomplete fix for CVE-2018-15812.
GHSA
Insufficient Entropy in DotNetNuke
ghsa·2019-07-05
CVE-2018-15812 [HIGH] CWE-331 Insufficient Entropy in DotNetNuke
Insufficient Entropy in DotNetNuke
DNN (aka DotNetNuke) 9.2 through 9.2.1 incorrectly converts encryption key source values, resulting in lower than expected entropy.
Suricata
ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)
suricata·2021-11-01·CVSS 7.5
CVE-2017-9822 [HIGH] ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)
ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)"; flow:established,to_server; content:"ExpandedWrapperOfObjectStateFormatterObjectDataProvider"; fast_pattern; http.cookie; content:"DNNPersonalization="; nocase; content:"<profile"; nocase; content:"MethodName"; nocase; distance:0; content:"Deserialize"; nocase; distance:0; content:"MethodParameters"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/48336; reference:cve,2017-9822; reference:cve,2018-15811; reference:cve,2018-18326; reference:cve,2018-18325; reference:cve,2018-15812; classtype:attempted-admin; sid:2034308; rev:1; metadata:attack_target Ser
Exploit-DB
DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)
exploitdb·2020-04-16
CVE-2018-18326 DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)
DotNetNuke - Cookie Deserialization Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/powershell'
require 'openssl'
require 'set'
class MetasploitModule active_timeout
}
# payload handler is normally set up and started here
# but has been removed so we can start the handler when needed.
end
def initialize(info = {})
super(update_info(
info,
'Name' => "DotNetNuke Cookie Deserialization Remote Code Execution",
'Description' => %q(
This module exploits a deserialization vulnerability in DotNetNuke (DNN) versions 5.0.0 to 9.3.0-RC.
Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML.
The expect
Metasploit
DotNetNuke Cookie Deserialization Remote Code Excecution
metasploit
DotNetNuke Cookie Deserialization Remote Code Excecution
DotNetNuke Cookie Deserialization Remote Code Excecution
This module exploits a deserialization vulnerability in DotNetNuke (DNN) versions 5.0.0 to 9.3.0-RC. Vulnerable versions store profile information for users in the DNNPersonalization cookie as XML. The expected structure includes a "type" attribute to instruct the server which type of object to create on deserialization. The cookie is processed by the application whenever it attempts to load the current user's profile data. This occurs when DNN is configured to handle 404 errors with its built-in error page (default configuration). An attacker can leverage this vulnerability to execute arbitrary code on the system.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/157080/DotNetNuke-Cookie-Deserialization-Remote-Code-Execution.htmlhttps://github.com/dnnsoftware/Dnn.Platform/releaseshttps://www.dnnsoftware.com/community/security/security-centerhttp://packetstormsecurity.com/files/157080/DotNetNuke-Cookie-Deserialization-Remote-Code-Execution.htmlhttps://github.com/dnnsoftware/Dnn.Platform/releaseshttps://www.dnnsoftware.com/community/security/security-center
2019-07-03
Published