- Sitecore CMS had an account with a hard -code password
- Threat actors could use it to upload arbitrary files, obtain RCE
- Thousands of endpoints are potentially at risk
Sitecore Experience Platform, a company level Content Management System (CMS) carried three vulnerabilities that, when linked together, allow threat actors full takeover of vulnerable servers, experts have warned.
CyberSecurity – Scientists Watchtowr found that the first error is a hard -coded password for an internal user – only one letter – ‘B’ – making it super easy to guess.
The account does not have admin privileges, but Watchtowr found that malicious users could authenticate via an alternative login path, which would give them approved access to internal final points.
Patching of the deficiencies
This sets the scene for exploiting the other error, described as a “zipper slip” in the Sitecore Upload Guide.
In short, the now approved attackers can upload malicious files due to insufficient path-sanity, and the way Sitecore maps paths. As a result, they can write arbitrary files in Webroot.
These two questions alone may be enough to cause some serious damage to the compromised server, but the problems don’t stop there.
If the site has the Sitecore Powershell Extensions (SPE) module installed, which is often assembled with SXA, attackers can upload arbitrary files to specific paths, bypass the extension or location restrictions and result in a “reliable RCE”.
All Sitecore versions from 10.1 to 10.4 are apparently vulnerable, which is translated to approx. 22,000 publicly vulnerable cases at press time – but just because they are all available and run these versions, it does not necessarily mean that they are all vulnerable.
“Sitecore is deployed over thousands of environments, including banks, airlines and global businesses – so explosion radius here is massive,” Watchtowr CEO Benjamin Harris told Bleeping computer.
“And no, this is not theoretical: We have run the full chain, end-to-end. If you run Sitecore, it will not be worse than this-roter Creds and Patch immediately before the attackers inevitably the reverse engineer fix.”
So far, there were no reports of abuse in nature, but a patch is available now, so users need to update as soon as possible.
