Sitecore Experience Platform (XP) Insecure Deserialization Vulnerability Leading to Remote Code Execution

A remote code execution vulnerability has been identified in Sitecore Experience Platform (XP) versions 7.5 Initial Release to 8.2 Update-7. This vulnerability arises from an insecure deserialization issue in the Report.ashx file, which was used for the Executive Insight Dashboard, a feature that has been deprecated. The vulnerability allows unauthorized users to execute arbitrary code on the server where Sitecore is running.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected server, with the executed code running under the NT AUTHORITY\NETWORK SERVICE account. This could potentially be escalated to SYSTEM level privileges.

Reproduction

The vulnerability can be reproduced by sending a crafted XML payload to the Report.ashx endpoint. The payload must include a 'parameters' XML tag containing a serialized object that exploits the deserialization vulnerability. This can be done using a tool like ysoserial.net to generate the malicious payload, which is then base64-encoded and included in the request.

Remediation

Sitecore users are advised to upgrade to Sitecore XP 9.0.0 or higher, or to remove the Report.ashx file from the /sitecore/shell/ClientBin/Reporting/ directory on their server instances.