Pierluigi Paganini December 23, 2024
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an Acclaim Systems USAHERDS vulnerability, tracked as CVE-2021-44207 (CVSS score: 8.1) to its Known Exploited Vulnerabilities (KEV) catalog.
The flaw stems from the use of hard-coded credentials vulnerability, it impacts Acclaim USAHERDS web application 7.4.0.1 and earlier. An attacker who knows static ValidationKey and DecryptionKey values can exploit them to execute arbitrary code on the system that runs the application.
Attackers can craft malicious ViewState data to bypass MAC checks, and trigger server-side code execution.
“The Acclaim USAHERDS web application 7.4.0.1 and Earlier, builds prior to November 2021, used static ValidationKey
and DecryptionKey
values.” reads the advisory. “High – Knowledge of the ValidationKey
and DecryptionKey
can be used to achieve Remote Code Execution on the system that runs the application.”
Security researchers Douglas Bienstock from Mandiant reported the issue to the company.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix this vulnerability by January 13, 2025.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA Known Exploited Vulnerabilities catalog)