CVE-2021-27852: 
Checkbox Survey vulnerability analysis and mitigation

Deserialization of Untrusted Data vulnerability (CVE-2021-27852) was discovered in CheckboxWeb.dll of Checkbox Survey. The vulnerability affects versions prior to 7.0 and allows an unauthenticated remote attacker to execute arbitrary code on vulnerable servers (CERT VU, CVE MITRE).

The vulnerability exists in Checkbox Survey's implementation of its own View State functionality. The application accepts a _VSTATE argument which it then deserializes using LosFormatter. Because this data is manually handled by the Checkbox Survey code, the ASP.NET ViewState Message Authentication Code (MAC) setting on the server is ignored. Without MAC validation, an attacker can create arbitrary data that will be deserialized, resulting in arbitrary code execution (CERT VU).

The vulnerability allows an unauthenticated remote attacker to execute arbitrary code with the privileges of the web server. This can lead to complete system compromise (CERT VU).

Starting with Checkbox Survey 7.0, View State data is not used, therefore versions 7.0 and later do not contain this vulnerability. Since Checkbox is no longer developing version 6, users are advised to upgrade to version 7.0 or later. If unable to update, the software should be removed from any systems that have it installed (CERT VU).

The vulnerability has gained significant attention from security researchers and has been included in government advisories. It was listed in CISA's Known Exploited Vulnerabilities Catalog and was identified as one of the most exploited vulnerabilities in 2021 (Hacker News).