{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/706695#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\n\r\nCheckbox Survey prior to version 7.0 insecurely deserializes ASP.NET [View State](https://docs.microsoft.com/en-us/previous-versions/aspnet/bb386448(v=vs.100)) data, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable server.\r\n\r\n### Description\r\n\r\n**CVE-2021-27852**\r\nCheckbox Survey insecurely deserializes ASP.NET View State data.\r\n\r\n[Checkbox Survey](https://www.checkbox.com/) is an ASP.NET application that can add survey functionality to a website. Prior to version 7.0, Checkbox Survey implements its own View State functionality by accepting a `_VSTATE` argument, which it then deserializes using [LosFormatter](https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8). Because this data is manually handled by the Checkbox Survey code, the ASP.NET ViewState Message Authentication Code (MAC) setting on the server is ignored. Without MAC, an attacker can create arbitrary data that will be deserialized, resulting in arbitrary code execution.\r\n\r\nThis vulnerability is reportedly being exploited in the wild.\r\n\r\n### Impact\r\nBy making a specially-crafted request to a server that uses Checkbox Survey 6.x or earlier, a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the web server.\r\n\r\n### Solution\r\n#### Apply an update\r\nStarting with Checkbox Survey 7.0, View State data is not used. Therefore, Checkbox Survey versions 7.0 and later do not contain this vulnerability.\r\n\r\n#### Remove Checkbox Survey versions older than 7\r\nCheckbox is no longer developing Checkbox Survey version 6, so this version is no longer safe to use. If you are unable to update to an unaffected version of Checkbox Survey, this software should be removed from any systems that have it installed.\r\n\r\n### Acknowledgements\r\nThanks to the reporter who wishes to remain anonymous.\r\n\r\nThis document was written by Will Dormann.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/706695"},{"url":"https://www.checkbox.com/","summary":"https://www.checkbox.com/"},{"url":"https://docs.microsoft.com/en-us/previous-versions/aspnet/bb386448(v=vs.100)","summary":"https://docs.microsoft.com/en-us/previous-versions/aspnet/bb386448(v=vs.100)"},{"url":"https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8","summary":"https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.losformatter?view=netframework-4.8"},{"url":"https://swapneildash.medium.com/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817","summary":"https://swapneildash.medium.com/deep-dive-into-net-viewstate-deserialization-and-its-exploitation-54bf5b788817"}],"title":"Checkbox Survey insecurely deserializes ASP.NET View State data","tracking":{"current_release_date":"2021-05-25T20:33:29+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.35"}},"id":"VU#706695","initial_release_date":"2021-05-25 20:33:29.250016+00:00","revision_history":[{"date":"2021-05-25T20:33:29+00:00","number":"1.20210525203329.1","summary":"Released on 2021-05-25T20:33:29+00:00"}],"status":"final","version":"1.20210525203329.1"}},"vulnerabilities":[{"title":"Checkbox Survey insecurely deserializes ASP.","notes":[{"category":"summary","text":"Checkbox Survey insecurely deserializes ASP.NET View State data."}],"cve":"CVE-2021-27852","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#706695"}],"product_status":{"known_affected":["CSAFPID-e4f7ae26-39db-11f1-8422-122e2785dc9f"]}}],"product_tree":{"branches":[{"category":"vendor","name":"Checkbox","product":{"name":"Checkbox Products","product_id":"CSAFPID-e4f7ae26-39db-11f1-8422-122e2785dc9f"}}]}}