The recent announcement by the Cybersecurity and Infrastructure Security Agency (CISA) regarding the addition of a new vulnerability, CVE-2021-44207, to its Known Exploited Vulnerabilities (KEV) Catalog has raised concerns among organizations about potential risks and active exploitation. Identified in the Acclaim Systems USAHERDS web application version 7.4.0.1 and earlier, CVE-2021-44207 is classified as a hard-coded credentials vulnerability under CWE-798. This vulnerability arises from the use of static ValidationKey and DecryptionKey values, which are crucial for the application’s ViewState security.
The exploitation of these keys could lead to remote code execution (RCE), allowing a malicious actor to manipulate the application’s server and potentially execute unauthorized code. The impact of this vulnerability is classified as high, as knowledge of the hard-coded keys could result in serious consequences. However, the exploitability is considered low, as attackers would first need to gain access to the keys through another vulnerability or channel.
The Acclaim Systems USAHERDS web application relies on ValidationKey and DecryptionKey values to maintain the integrity and confidentiality of its ViewState data, which is used to persist the state of web application controls between client and server interactions. When these keys are hard-coded and exposed, risks such as bypassing integrity checks and deserialization of malicious data emerge, posing a threat to the application’s security.
In response to this vulnerability, CISA advises organizations to take immediate action by applying vendor mitigations, discontinuing the use of the vulnerable product if necessary, and contacting Acclaim Systems for guidance on patching or mitigating the vulnerability. Additionally, organizations are encouraged to integrate proactive measures into their vulnerability management practices, prioritizing the remediation of vulnerabilities listed in the KEV Catalog to minimize exposure to cyber threats.
The discovery and reporting of CVE-2021-44207 by Douglas Bienstock of Mandiant underscore the importance of thorough testing and reporting in identifying critical flaws that could be exploited by malicious actors. Furthermore, the inclusion of this vulnerability in the KEV Catalog aligns with CISA’s Binding Operational Directive (BOD) 22-01, which aims to reduce the significant risk of known exploited vulnerabilities and enhance federal cybersecurity.
Overall, the addition of CVE-2021-44207 to the KEV Catalog serves as a reminder of the persistent threats posed by known vulnerabilities and the importance of adopting cybersecurity best practices. Organizations are advised to conduct regular vulnerability assessments, ensure timely patch management, monitor threat intelligence, and limit the use of hard-coded credentials to strengthen their security posture against cyber threats. Vigilance and timely remediation are vital in navigating today’s cybersecurity landscape and safeguarding against potential vulnerabilities.