Sitecore CMS and Experience Platform Deserialization Vulnerability in Anti-CSRF Module Allowing Remote Code Execution

A deserialization vulnerability has been identified in the Sitecore.Security.AntiCSRF module, affecting Sitecore CMS versions 7.0 to 7.2 and Sitecore XP versions 7.5 to 8.2. This vulnerability allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter '__CSRFTOKEN'. The issue arises because the CSRF protection module expects a serialized object, which can be manipulated to create valid .NET objects that, when deserialized, lead to code execution on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected server.

Reproduction

The vulnerability can be reproduced by sending a POST request to a Sitecore application with a serialized .NET object in the '__CSRFTOKEN' parameter. This can be done using a tool like Burp Suite or Postman. The serialized object should be crafted to include a deserialization gadget that, when executed, will run arbitrary code on the server.

Remediation

Sitecore has released a patch for versions prior to 9.0. For Sitecore versions 9.0 and above, users should update to the latest version 9.1 Update-1.