CVE-2019-10068
Published: 26 March 2019
Summary
CVE-2019-10068 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Kentico Xperience. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2019-10068 is a deserialization vulnerability affecting the staging service in Kentico CMS versions 12.0.x prior to 12.0.15, 11.0.x prior to 11.0.48, 10.0.x prior to 10.0.52, and all 9.x releases. The root cause is insufficient validation of security headers, which permits a crafted request to bypass authentication and supply attacker-controlled .NET objects for deserialization, directly enabling remote code execution on the host server. The flaw is tracked under CWE-502 and carries a CVSS 3.1 base score of 9.8.
An unauthenticated attacker with network access can submit a malicious request to the staging endpoint, trigger unsafe deserialization, and obtain arbitrary code execution with the privileges of the Kentico process. No user interaction or credentials are required, and the attack can result in full compromise of confidentiality, integrity, and availability on the affected server.
Kentico released hotfixes that address the issue for the supported branches, available via the vendor’s security updates page. The vulnerability is also catalogued in CISA’s Known Exploited Vulnerabilities list, and public exploit code has been published demonstrating remote command execution against unpatched instances.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-2129
Vulnerability details
An issue was discovered in Kentico 12.0.x before 12.0.15, 11.0.x before 11.0.48, 10.0.x before 10.0.52, and 9.x versions. Due to a failure to validate security headers, it was possible for a specially crafted request to the staging service to bypass…
more
the initial authentication and proceed to deserialize user-controlled .NET object input. This deserialization then led to unauthenticated remote code execution on the server where the Kentico instance was hosted.
- CWE(s)
- KEV Date Added
- 25 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all inputs (including security headers) before deserializing untrusted .NET objects, blocking the authentication bypass and RCE path in the staging service.
Enforces access-control decisions on every request to the staging endpoint, preventing the crafted request from bypassing authentication and reaching the deserializer.
Requires integrity verification of software and information to detect or block execution of attacker-supplied deserialized objects that alter system behavior.