According to the CERT Coordination Center (CERT/CC) at Carnegie Mellon University, a Checkbox Survey vulnerability that could allow a remote attacker to execute arbitrary code without authentication is being exploited in the field.
Checkbox Survey is an ASP.NET-based online survey tool that allows businesses construct professional surveys that can be accessed from either desktop computers or mobile devices.
The CVE-2021-27852 problem in Checkbox Survey is related to unsafe deserialization of view state data, which is a method used by the ASP.NET page framework to preserve page and control properties.
“The current state of the page and values that must be maintained during postback are serialised into base64-encoded strings when the HTML markup for the page is produced. This data is subsequently stored in the view state hidden field or fields, according to Microsoft.
Prior to version 7.0, Checkbox Survey used a _VSTATE parameter that was deserialized using LosFormatter to implement its own view state capabilities.
The Checkbox Survey code handles the data, but it ignores the ASP.NET ViewState Message Authentication Code (MAC) setting on the server, which is a flaw that an attacker might use to construct arbitrary data that could lead to code execution when deserialized.
“A remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the web server by sending a specially-crafted request to a server that uses Checkbox Survey 6.x or earlier,” according to the advisory.
The alert indicates that the vulnerability has been used in attacks, however it doesn’t go into detail regarding the assaults.
Users are recommended to upgrade to Checkbox Survey version 7.0 or later, as this version does not use view state data and is thus no longer susceptible. Checkbox has also put a stop to the development of Checkbox Survey version 6.