Recommended reading

One of the world's most popular CMS tools has an embarrassing security flaw, so patch immediately

News
By published

Three Sitecore bugs can be chained to achieve RCE

Representational image of a cybercriminal
Image Credit: Pixabay (Image credit: Pixabay)
  • The Sitecore CMS had an account with a hardcoded password
  • Threat actors could use it to upload arbitrary files, achieving RCE
  • Thousands of endpoints are potentially at risk

Sitecore Experience Platform, an enterprise-level content management system (CMS) carried three vulnerabilities which, when chained together, allowed threat actors full takeover of vulnerable servers, experts have warned.

Cybersecurity researchers watchTowr found the first flaw is a hardcoded password for an internal user - just one letter - ‘b’ - making it super easy to guess.

The account does not have admin privileges, but watchTowr found malicious users could authenticate via an alternate login path, which would give them authenticated access to internal endpoints.

Save up to 52% off Lifelock Identity Theft Protection!

Save up to 52% off Lifelock Identity Theft Protection!

Your personal info is in endless places. And any one of them could accidentally expose you to identity theft. That's why LifeLock monitors hundreds of millions of data points a second for identity theft. LifeLock. For the threats you can't control.

Preferred partner (What does this mean?)

View Deal

Patching the flaws

This sets the stage for the exploitation of the second flaw, described as a “Zip Slip” in the Sitecore Upload Wizard.

In a nutshell, the now-authenticated attackers can upload malicious files due to insufficient path sanitation, and the way Sitecore maps paths. As a result, they can write arbitrary files in the webroot.

These two issues alone could be enough to cause some serious damage on the compromised server, but the problems don’t stop there.

If the website has the Sitecore PowerShell Extensions (SPE) module installed, which is commonly bundled with SXA, attackers can upload arbitrary files to specific paths, bypassing extension or location restrictions and resulting in a “reliable RCE”.

All Sitecore versions from 10.1 to 10.4 are apparently vulnerable, which translates to roughly 22,000 publicly exposed instances, at press time - but just because they’re all accessible and running these versions, it doesn’t necessarily mean they’re all vulnerable.

"Sitecore is deployed across thousands of environments, including banks, airlines, and global enterprises — so the blast radius here is massive," watchTowr CEO Benjamin Harris told BleepingComputer.

"And no, this isn't theoretical: we've run the full chain, end-to-end. If you're running Sitecore, it doesn't get worse than this – rotate creds and patch immediately before attackers inevitably reverse engineer the fix."

So far there were no reports of abuse in the wild, but a patch is available now, so users should update as soon as possible.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.