NFA - Exploitation of insecure deserialisation vulnerabilities in IIS check

book

Article ID: 223261

calendar_today

Updated On:

Products

CA Network Flow Analysis (NetQos / NFA)

Issue/Introduction

IIS is running on NFA harvester and console server. Would like to check if GAdvisory-2021-023: Advisory on Exploitation of Insecure Deserialisation Vulnerabilities in IIS affects the product. 

Advise if Telerik UI and Checkbox Survey are required plugins for NFA to run.

Environment

Release : 10.0.3/10.0.x

Component : NQRPTA - REPORTERANALYZER

NFA :Console/Harvester

Resolution

The vulnerabilities that have been exploited by the threat actor include:

1. Checkbox Survey RCE Exploit (CVE-2021-27852)
2. VIEWSTATE Deserialization Exploit
4. Telerik-UI Exploit (CVE-2019-18935 and CVE-2017-11317)


1. CVE-2021-27852 Checkbox Survey insecurely deserializes ASP.NET View State data.

Checkbox Survey is an ASP.NET application that can add survey functionality to a website. Prior to version 7.0, Checkbox Survey implements its own View State functionality by accepting a _VSTATE argument, which it then deserializes using LosFormatter. 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27852
Deserialization of Untrusted Data vulnerability in CheckboxWeb.dll of Checkbox Survey allows an unauthenticated remote attacker to execute arbitrary code. This issue affects: Checkbox Survey versions prior to 7.

NFA does not use CheckboxWeb.dll Checkbox Survery application. No impact to the NFA console


2. VIEWSTATE Deserialization Exploit
This topic of VSTATE deserialization exploits was covered in the past by Graa – Security Blog. The vulnerable piece of code was found in version 6 of the “Checkbox Survey” software.
(Graa – Security Blog)

https://www.graa.nl/articles/2010.html

In NFA codebase for Request.Form["__VSTATE"] or Request.Form["__VIEWSTATE"] did not find the references.
NFA does not have LoadPageStateFromPersistenceMedium function with custom compressed viewstate, just use .NET base view state options, which protect against deserialization attacks by default.

 

3. Telerik-UI Exploit (CVE-2019-18935, CVE-2017-11317)

Telerik is known for several products providing functionality to web application development. One of the products,
Telerik UI for ASP.NET AJAX, is a widely used suite of UI components for web applications. Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX before R1 2017 and R2 before R2 2017 SP2 uses weak RadAsyncUpload encryption, which allows remote attackers to perform arbitrary file uploads or execute arbitrary code.

NFA does not use Telerik and its encryption.

Only NFA console uses IIS server and not Harvester.So IIS can be disabled on the harvesters.

 

Attachments