CVE-2019-10068
published 2019-03-26CVE-2019-10068: An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions. Due to a failure to validate security…
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
96.03%
99.9th percentile
An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions. Due to a failure to validate security headers, it was possible for a specially crafted request to the staging service to bypass the initial authentication and proceed to deserialize user-controlled .NET object input. This deserialization then led to unauthenticated remote code execution on the server where the Kentico instance was hosted.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kentico | xperience | >= 10.0.0 < 10.0.52 | 10.0.52 |
| kentico | xperience | >= 11.0.0 < 11.0.48 | 11.0.48 |
| kentico | xperience | >= 12.0.0 < 12.0.15 | 12.0.15 |
| kentico | xperience | 9.0.0 – 9.0.51 | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
HTTP POST to /CMSPages/Staging/SyncServer.asmx/ProcessSynchronizationTaskData returning HTTP 500 followed by HTTP 200
- →Look for HTTP POST requests to /CMSPages/Staging/SyncServer.asmx/ProcessSynchronizationTaskData with Content-Type: application/x-www-form-urlencoded and a body containing the 'stagingTaskData' parameter carrying a serialized SOAP envelope with WindowsIdentity/ClaimsIdentity payloads. ↗
- →Exploitation produces a response body containing 'System.InvalidCastException' and 'System.Web.Services.Protocols.SoapException' with HTTP status 500 on the initial probe request, followed by a successful HTTP 200 on the actual exploit request. ↗
- ·The vulnerability affects Kentico versions 9.x, 10.0.x before 10.0.52, 11.0.x before 11.0.48, and 12.0.x before 12.0.15. Detection rules targeting the SyncServer.asmx endpoint should be scoped to these version ranges to reduce false positives on patched systems. ↗
- ·The exploit bypasses authentication entirely; network-layer controls or authentication-based detections will not catch this attack. Detection must focus on the unauthenticated POST to the staging endpoint and resulting W3WP.EXE child process activity. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Kentico Xperience Deserialization of Untrusted Data Vulnerability
cisa·2022-03-25·CVSS 9.8
CVE-2019-10068 [CRITICAL] CWE-502 Kentico Xperience Deserialization of Untrusted Data Vulnerability
Vulnerability: Kentico Xperience Deserialization of Untrusted Data Vulnerability
Affected: Kentico Xperience
Kentico contains a failure to validate security headers. This deserialization can led to unauthenticated remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-10068
Remediation Due Date: 2022-04-15
GHSA
GHSA-f7w4-79f7-fhp3: An issue was discovered in Kentico 12
ghsa_unreviewed·2022-05-13
CVE-2019-10068 [CRITICAL] CWE-502 GHSA-f7w4-79f7-fhp3: An issue was discovered in Kentico 12
An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions. Due to a failure to validate security headers, it was possible for a specially crafted request to the staging service to bypass the initial authentication and proceed to deserialize user-controlled .NET object input. This deserialization then led to unauthenticated remote code execution on the server where the Kentico instance was hosted.
VulnCheck
Kentico Xperience Deserialization of Untrusted Data Vulnerability
vulncheck·2019·CVSS 9.8
CVE-2019-10068 [CRITICAL] CWE-502 Kentico Xperience Deserialization of Untrusted Data Vulnerability
Kentico Xperience Deserialization of Untrusted Data Vulnerability
Kentico contains a failure to validate security headers. This deserialization can led to unauthenticated remote code execution.
Affected: Kentico Xperience CMS
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-29&host_type=src&vulnerability=cve-2019-10068; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-30&host_type=src&vulnerability=cve-2019-10068; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-23&host_type=src&vulnerability=cve-2019-10068; https
No detection rules found.
Nuclei
Kentico CMS Insecure Deserialization Remote Code Execution
nuclei·CVSS 9.8
CVE-2019-10068 [CRITICAL] Kentico CMS Insecure Deserialization Remote Code Execution
Kentico CMS Insecure Deserialization Remote Code Execution
Kentico CMS is susceptible to remote code execution via a .NET deserialization vulnerability.
Template:
id: CVE-2019-10068
info:
name: Kentico CMS Insecure Deserialization Remote Code Execution
author: davidmckennirey
severity: critical
description: Kentico CMS is susceptible to remote code execution via a .NET deserialization vulnerability.
impact: |
Successful exploitation of this vulnerability can result in remote code execution, allowing an attacker to execute arbitrary code on the affected system.
remediation: |
Apply the latest security patches and updates provided by Kentico CMS to mitigate this vulnerability.
reference:
- https://www.aon.com/cyber-solutions/aon_cyber_labs/unauthenticated-remote-code-execution-in-kentico
Metasploit
Kentico CMS Staging SyncServer Unserialize Remote Command Execution
metasploit
Kentico CMS Staging SyncServer Unserialize Remote Command Execution
Kentico CMS Staging SyncServer Unserialize Remote Command Execution
This module exploits a vulnerability in the Kentico CMS platform versions 12.0.14 and earlier. Remote Command Execution is possible via unauthenticated XML requests to the Staging Service SyncServer.asmx interface ProcessSynchronizationTaskData method stagingTaskData parameter. XML input is passed to an insecure .NET deserialize call which allows for remote command execution.
http://packetstormsecurity.com/files/157588/Kentico-CMS-12.0.14-Remote-Command-Execution.htmlhttps://devnet.kentico.com/download/hotfixes#securityBugs-v12http://packetstormsecurity.com/files/157588/Kentico-CMS-12.0.14-Remote-Command-Execution.htmlhttps://devnet.kentico.com/download/hotfixes#securityBugs-v12https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-10068
2019-03-26
Published
2022-03-25
Added to CISA KEV
Exploited in the wild