CVE-2021-39392 – CVE-2021-39392 is a critical remote code execut... (How to Fix)

Q: What is the severity of CVE-2021-39392?

CVE-2021-39392 has a CVSS score of 9.8 (CRITICAL). CVE-2021-39392 is a critical remote code execution vulnerability in MyLittleBackup management tool due to a hardcoded machineKey in web.config. This allows attackers to send serialized ASP code and execute arbitrary commands on affected systems. All users of MyLittleBackup up to version 1.7 are vulnerable.

📋 TL;DR

CVE-2021-39392 is a critical remote code execution vulnerability in MyLittleBackup management tool due to a hardcoded machineKey in web.config. This allows attackers to send serialized ASP code and execute arbitrary commands on affected systems. All users of MyLittleBackup up to version 1.7 are vulnerable.

💻 Affected Systems

Products:

MyLittleBackup

Versions: All versions up to and including 1.7

Operating Systems: Windows (ASP.NET application)

Default Config Vulnerable: ⚠️ Yes

Notes: All installations using the default web.config with hardcoded machineKey are vulnerable. The vulnerability exists in the management tool component.

📦 What is this software?

Mylittlebackup by Mylittletools

View all CVEs affecting Mylittlebackup →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary code, steal data, install malware, or pivot to other systems in the network.

🟠

Likely Case

Remote code execution leading to data theft, ransomware deployment, or creation of persistent backdoors on vulnerable systems.

🟢

If Mitigated

Limited impact if system is isolated, has strict network controls, and uses additional security layers, though vulnerability remains present.

🌐 Internet-Facing: HIGH - The management tool is typically exposed and the exploit requires no authentication, making internet-facing instances extremely vulnerable.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows unauthenticated attackers with network access to execute arbitrary code.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept code is publicly available on GitHub gist. Exploitation is straightforward due to hardcoded cryptographic keys and no authentication requirements.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative backup solutions or implementing workarounds.

🔧 Temporary Workarounds

Replace Hardcoded machineKey

windows

Generate and use unique machineKey values for each installation instead of the hardcoded default

1. Open web.config
2. Locate <machineKey> section
3. Replace with unique values: <machineKey validationKey="[GENERATE_NEW]" decryptionKey="[GENERATE_NEW]" validation="SHA1" decryption="AES" />
4. Use ASP.NET machineKey generator tools to create secure keys

Restrict Network Access

all

Limit access to MyLittleBackup management interface to trusted IP addresses only

1. Configure firewall rules to restrict access
2. Use IP whitelisting in IIS/application
3. Consider placing behind VPN or jump host

🧯 If You Can't Patch

Immediately isolate the MyLittleBackup server from internet access and restrict internal network access
Implement application-level firewall (WAF) rules to block serialized ASP payloads and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check web.config file for hardcoded machineKey values. If validationKey and decryptionKey are the same across installations, the system is vulnerable.

Check Version:

Check application version in web interface or examine installation directory for version information

Verify Fix Applied:

Verify that machineKey values are unique per installation and not using the default hardcoded values. Test that serialized payloads are rejected.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to management endpoints
ASP serialization payloads in request logs
Unexpected process execution or file creation

Network Indicators:

HTTP requests containing serialized .NET objects
Traffic to MyLittleBackup management port from unexpected sources

SIEM Query:

source="web_logs" AND (uri="*/management/*" OR uri="*/admin/*") AND (request_body CONTAINS "Type" OR request_body CONTAINS "ObjectStateFormatter")

📊 Metadata

CVE ID: CVE-2021-39392

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: September 15, 2021

Last Updated: November 21, 2024

🔗 References

http://www.mylittlebackup.com/mlb/zip/mlb_1.7.zip Broken Link
https://gist.github.com/omriinbar/65827626e63f15e3e50557e2d9d61281 Third Party Advisory
http://www.mylittlebackup.com/mlb/zip/mlb_1.7.zip Broken Link
https://gist.github.com/omriinbar/65827626e63f15e3e50557e2d9d61281 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39392, you might also want to check these: