The Cybersecurity and Infrastructure Security Agency (CISA) has announced the addition of a new vulnerability, CVE-2021-44207, to its Known Exploited Vulnerabilities (KEV) Catalog. This action follows evidence of active exploitation and aims to alert organizations to the potential risks posed by this vulnerability.
Overview of CVE-2021-44207
CVE-2021-44207, identified in the Acclaim Systems USAHERDS web application version 7.4.0.1 and earlier (builds prior to November 2021), is a hard-coded credentials vulnerability. The vulnerability, classified under CWE-798, arises from the use of static ValidationKey and DecryptionKey values.
These keys, which are integral to the security of the application’s ViewState, can be exploited to achieve remote code execution (RCE). A malicious actor with access to these keys can manipulate the application’s server into deserializing a maliciously crafted ViewState payload, potentially enabling unauthorized execution of code on the server hosting the application.
Key Details:
- Published: December 21, 2021
- Updated: December 21, 2021
- Impact: High – Knowledge of the hard-coded keys could lead to RCE.
- Exploitability: Low – The hard-coded keys must first be obtained through another vulnerability or an alternate channel.
Technical Breakdown of the Vulnerability
The Acclaim Systems USAHERDS web application leverages ValidationKey and DecryptionKey values to ensure the integrity and confidentiality of its ViewState data. ViewState is used to persist the state of web application controls between client and server interactions.
When these keys are hard-coded and become known to an attacker, the following risks emerge:
- Bypassing Integrity Checks: An attacker can craft a ViewState payload that bypasses the Message Authentication Code (MAC) verification process.
- Deserialization of Malicious Data: The crafted payload can then be deserialized by the server, potentially executing unauthorized code and compromising the application.
This vulnerability’s high impact rating stems from the potential consequences of a successful exploit. However, its low exploitability rating indicates that the attacker must first gain access to the hard-coded keys through a separate method, such as exploiting another vulnerability or accessing sensitive system configurations.
Implications for Cybersecurity
These types of vulnerabilities are common attack vectors and can pose significant risks, particularly to federal enterprises. While there is no confirmed evidence linking CVE-2021-44207 to ransomware campaigns, the possibility of its misuse cannot be discounted. Exploiting such vulnerabilities could allow malicious actors to compromise critical systems, steal sensitive data, or disrupt operations.
Mitigation Actions
CISA advises organizations to take immediate action to address this vulnerability. Recommended steps include:
- Apply Vendor Mitigations: Follow instructions provided by the vendor to secure the application.
- Discontinue Usage: If mitigations are unavailable, consider discontinuing the use of the vulnerable product.
- Contact Vendor Support: Reach out to Acclaim Systems for detailed guidance on patching or mitigating this vulnerability.
CISA further urges organizations to integrate proactive measures into their vulnerability management practices by prioritizing the remediation of vulnerabilities listed in the KEV Catalog.
Discovery and Acknowledgment
The vulnerability was discovered and reported by Douglas Bienstock of Mandiant. His work highlights the importance of rigorous testing and reporting in identifying critical flaws that could be exploited by malicious actors.
Binding Operational Directive (BOD) 22-01
The inclusion of CVE-2021-44207 in the KEV Catalog aligns with CISA’s Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities. Established to enhance federal cybersecurity, BOD 22-01 mandates the remediation of cataloged vulnerabilities within specified timelines by Federal Civilian Executive Branch (FCEB) agencies.
Key Highlights of BOD 22-01:
- Purpose: Protect FCEB networks against active threats by addressing known vulnerabilities.
- Scope: Applies directly to FCEB agencies but serves as a benchmark for all organizations to follow.
- Call to Action: CISA strongly encourages private organizations to incorporate the KEV Catalog into their vulnerability management processes to minimize exposure to cyberattacks.
Broader Recommendations for Organizations
CISA’s actions serve as a reminder of the persistent threats posed by known vulnerabilities. Organizations should adopt the following cybersecurity best practices to strengthen their security posture:
- Regular Vulnerability Assessments: Conduct frequent assessments to identify and address vulnerabilities in your systems.
- Timely Patch Management: Ensure all systems are up to date with the latest security patches.
- Monitor Threat Intelligence: Stay informed about newly identified vulnerabilities and active exploitations.
- Limit Hard-Coded Credentials: Avoid using static keys or credentials within applications. Where such usage is unavoidable, implement secure key management practices.
Conclusion
The addition of CVE-2021-44207 to CISA’s Known Exploited Vulnerabilities Catalog highlights the importance of vigilance and timely remediation in today’s cybersecurity landscape. While this vulnerability may require specific conditions for exploitation, its potential impact on affected systems is significant.
Organizations, regardless of their affiliation with federal agencies, are encouraged to take immediate steps to secure their systems against this and other cataloged vulnerabilities.
