CVE-2021-39392 in MyLittleBackup
Summary
by MITRE • 09/16/2021
The management tool in MyLittleBackup up to and including 1.7 allows remote attackers to execute arbitrary code because machineKey is hardcoded (the same for all customers' installations) in web.config, and can be used to send serialized ASP code.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/19/2021
The vulnerability identified as CVE-2021-39392 affects MyLittleBackup management tool versions 1.7 and earlier, presenting a critical security risk that enables remote code execution through improper configuration of machine key settings. This flaw resides in the web.config file where a hardcoded machineKey value is used across all customer installations, creating a universal attack vector that undermines the security posture of every affected system. The vulnerability stems from the predictable nature of the encryption key, which allows attackers to craft malicious serialized ASP.NET objects that can be executed on the target system.
The technical implementation of this vulnerability follows a well-established pattern of insecure deserialization combined with weak cryptographic practices. When the management tool processes serialized data, it uses the hardcoded machineKey to decrypt and deserialize objects without proper validation or sanitization. This creates an environment where an attacker can generate malicious serialized payloads that, when processed by the vulnerable application, execute arbitrary code with the privileges of the web application. The CWE-502 designation applies here as this represents a dangerous deserialization vulnerability that allows code execution through crafted input data. The attack vector is particularly concerning because the same machineKey is shared across all installations, meaning a single successful exploitation attempt can compromise multiple systems simultaneously.
From an operational impact perspective, this vulnerability provides attackers with complete system compromise capabilities, enabling them to execute commands, access sensitive data, and potentially establish persistence within the network. The remote nature of the attack means that threat actors can exploit this vulnerability from anywhere on the internet without requiring physical access or prior authentication. The attack surface is further expanded because the hardcoded key eliminates the need for attackers to perform additional reconnaissance or key recovery operations. This vulnerability directly maps to ATT&CK technique T1059.001 for command and scripting interpreter, and T1566.001 for spearphishing attachments, as the exploitation typically involves sending malicious serialized data to the target system. Organizations using MyLittleBackup versions up to 1.7 face immediate risk of data breaches, system compromise, and potential lateral movement within their networks.
Mitigation strategies for CVE-2021-39392 should focus on immediate remediation through proper key management and configuration updates. Organizations must regenerate and randomize the machineKey values in all web.config files across affected installations, ensuring that each deployment uses unique cryptographic keys. The most effective immediate fix involves implementing a secure random key generation process and ensuring that these keys are properly rotated on a regular basis. System administrators should also implement network segmentation and access controls to limit exposure of the management tool to trusted networks only. Additionally, regular security audits should verify that no hardcoded cryptographic values exist in configuration files. The implementation of proper input validation and sanitization mechanisms should be strengthened to prevent deserialization of untrusted data, while application firewalls can be deployed to monitor and block suspicious serialized object traffic. Organizations should also consider implementing automated vulnerability scanning to detect similar hardcoded cryptographic values across their infrastructure, as this vulnerability pattern often indicates broader security misconfigurations that may affect other applications.