cbcvebase.
CVE-2018-15812
published 2019-07-03

CVE-2018-15812: DNN (aka DotNetNuke) 9.2 through 9.2.1 incorrectly converts encryption key source values, resulting in lower than expected entropy.

PriorityP264high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
46.55%
98.7th percentile
DNN (aka DotNetNuke) 9.2 through 9.2.1 incorrectly converts encryption key source values, resulting in lower than expected entropy.

Affected

2 ranges
VendorProductVersion rangeFixed in
dnnsoftwaredotnetnuke9.2 – 9.2.2
dnnsoftwaredotnetnuke9.2 – 9.2.1

Detection & IOCsextracted from sources · hover to see the quote

cookieDNNPersonalization
otherExpandedWrapperOfObjectStateFormatterObjectDataProvider
cookie.DOTNETNUKE
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT DotNetNuke 9.2-9.2.2 Cookie Deserialization Exploit (CVE-2018-15811)"; flow:established,to_server; content:"ExpandedWrapperOfObjectStateFormatterObjectDataProvider"; fast_pattern; http.cookie; content:"DNNPersonalization="; nocase; content:"<profile"; nocase; content:"MethodName"; nocase; distance:0; content:"Deserialize"; nocase; distance:0; content:"MethodParameters"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/48336; reference:cve,2017-9822; reference:cve,2018-15811; reference:cve,2018-18326; reference:cve,2018-18325; reference:cve,2018-15812; classtype:attempted-admin; sid:2034308; rev:1; metadata:attack_target Server, created_at 2021_11_01, cve CVE_2018_15811, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, tag CISA_KEV, updated_at 2021_11_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Inspect HTTP cookies for the presence of 'DNNPersonalization=' containing XML with '<profile', 'MethodName', 'Deserialize', and 'MethodParameters' — this is the deserialization exploit payload pattern.
  • The exploit triggers cookie processing by requesting a path that results in a DNN 404 response (default: '/__'). Monitor for requests to non-existent DNN paths accompanied by a malformed DNNPersonalization cookie.
  • For DNN versions 9.2.0+, the exploit requires an authenticated session (.DOTNETNUKE cookie). Correlate authenticated sessions with suspicious DNNPersonalization cookie content.
  • The string 'ExpandedWrapperOfObjectStateFormatterObjectDataProvider' in an HTTP cookie is a high-fidelity indicator of active exploitation of this deserialization chain.
  • ·Encryption of the DNNPersonalization cookie payload is only required for DNN versions 9.2.0 and above. Versions 5.0.0 through 9.1.1 accept unencrypted payloads, broadening the detection surface for those versions.
  • ·CVE-2018-15812 relates to incorrect conversion of encryption key source values resulting in lower than expected entropy, meaning brute-forcing the encryption key for the cookie is more feasible than expected on DNN 9.2–9.2.2.
  • ·The Snort/ET rule (sid:2034308) references both CVE-2018-15811 and CVE-2018-15812 together, as the exploit chain leverages both the weak key entropy and the deserialization vulnerability. Detections should account for both CVEs.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
ghsa7.5HIGH
osv7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.