10 March 2019

A remote command-injection vulnerability dubbed SpeakUp (CVE-2018-20062) (1) in the ThinkPHP development framework was widely reported in the news some weeks ago. Technically, SpeakUp is simply one more command-injection vulnerability with CVSS V3.0 base score Critical that results in full loss of integrity if exploited.

CVE-2018-20062-class vulnerabilities are quite rare. As of 10 March 2019 only 182 of the 16517 vulnerabilities published in 2018 belong to this class. Exploitation of any of these vulnerabilities results in full loss of integrity of the attacked system. In the worst case, the compromised system becomes the new base of operations for the attacker and allows him to compromise further systems.

Tara Seals provides a brief outline (2) on ThreatPost of the initial infection routine. For more details see the Checkpoint Research report (3) about SpeakUp.

Lateral movement in Linux-based networks places special challenges on the attacker. In general, vulnerabilities in applications must be used for propagation. SpeakUp uses an impressive arsenal of old vulnerabilities in application frameworks for propagation. Seals writes:

“To spread, SpeakUp’s propagation code exploits known vulnerabilities in six different Linux distributions, including JBoss Enterprise Application Platform security bypass vulnerabilities (CVE-2012-0874); a JBoss Seam Framework remote code execution (RCE) flaw (CVE-2010-1871); a JBoss AS 3/4/5/6 RCE exploit; a Oracle WebLogic wls-wsat Component Deserialization RCE (CVE-2017-10271); a vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (CVE-2018-2894); a Hadoop YARN ResourceManager command-execution exploit; and an Apache ActiveMQ Fileserver File Upload RCE vulnerability (CVE-2016-3088).”

The table below shows some details of the above mentioned vulnerabilities.

CVE	Application Framework	CVSS Base Score	Attack Vector
CVE-2012-0874	JBoss Enterprise Application Platform (EAP)	6.8 (CVSS v2.0)	V:N/AC:M/Au:N/C:P/I:P/A:P (CVSS v2.0)
CVE-2010-1871	JBoss Enterprise Application Platform (EAP)	6.8 (CVSS v2.0)	(AV:N/AC:M/Au:N/C:P/I:P/A:P) (CVSS v2.0)
CVE-2017-10271	Oracle WebLogic Server	7.5 (CVSS v3.0)	AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (CVSS v3.0)
CVE-2018-2894	Oracle WebLogic Server	9.8 (CVSS v3.0)	AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (CVSS v3.0)
CVE-2016-3088	Fileserver web application in Apache ActiveMQ	9.8 (CVSS v3.0)	AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (CVSS v3.0)

Any of the listed vulnerabilities enables the attacker to create new operations bases. In the worst case, he can jump across network boundaries, e.g. from the DMZ into the company intranet or from the company intranet into the production network.

How to stop this kind of attacks?

From the tactical point of view, vulnerability management is the key to stop this kind of attacks as early as possible. CVE-2018-20062-class vulnerabilities and remote code or script execution vulnerabilities must be patched directly after they show up on the market. At least in the DMZ and on systems on both sides of network boundaries. This will prevent the attacker from lateral movement.

Vulnerability management relies on asset management. And on CI/CD across the entire application stack because without automated testing it is not possible to make sure that the application is still working after the patches have been applied.

From a strategic point of view, measures must be applied to enlarge the resilience of application systems against cyber attacks. This includes e.g. micro segmentation or Web Application Firewalls but also Linux native enhancements like AppArmor or SELinux.

And this holds for both, cloud and on-premise hosted applications.

Have a great week.

---

References