Checkbox Version 6 Security Vulnerability Announcement

Summary

Checkbox Survey, Inc. has recently been made aware of a security vulnerability that affects certain legacy Checkbox 6 versions released between 2015 and 2018 (see below for exact versions).

The affected versions of Checkbox Survey are end of life, but may still affect customers who are running these legacy versions on their servers. All customers are advised to upgrade to Version 7 as soon as possible.

The reported vulnerability, which exploits a vulnerability in Microsoft IIS, could allow code execution on servers running the affected versions. We have received a report that this vulnerability has been exploited in the wild.

 

Issue

CVE ID: CVE-2021-27852 

Severity: Critical

CVSS v3.1 Base Score: 9.8 

The vulnerability, if executed properly, could allow for the execution of custom code on a server running any of the affected versions (listed below). The vulnerability can be exploited by manipulating the viewstate (a Microsoft feature that is no longer used by supported versions of Checkbox Survey) to inject code into the viewstate. The code is then deserialized in the Checkbox code, which the .NET Framework then executes on the server. The vulnerability derives from a Microsoft Library vulnerability in the LosFormatter class, which allows code that is being deserialized to be executed on the server. 

 

Affected Versions: 

  • Checkbox 2015 Q4 (6.12) through Checkbox 2018 Q2 (6.18)


Unaffected Versions: 

  • All versions of Checkbox 7
  • Checkbox 6.0 through 2015 Q3 (6.11)
  • Checkbox 5.x
  • Checkbox 4.x

Resolution

Any clients who are running an affected version of Checkbox Survey on-premises (versions 2015 Q4 (6.12) through Checkbox 2018 Q2 (6.18)) should immediately upgrade to Checkbox version 7. Checkbox 7 does not use viewstate and is therefore not vulnerable to this type of exploit. 

 

Questions

For questions regarding this vulnerability please enter a support ticket or email us at support@checkbox.com.



0 Comments

Article is closed for comments.