Tag Archives: Web application Firewall

SpeakUp – Lateral movement made easy

10 March 2019

A remote command-injection vulnerability dubbed SpeakUp (CVE-2018-20062) (1) in the ThinkPHP development framework was widely reported in the news some weeks ago. Technically, SpeakUp is simply one more command-injection vulnerability with CVSS V3.0 base score Critical that results in full loss of integrity if exploited.

CVE-2018-20062 alike Vulnerabilities 2018

CVE-2018-20062 alike Vulnerabilities 2018

CVE-2018-20062-class vulnerabilities are quite rare. As of 10 March 2019 only 182 of the 16517 vulnerabilities published in 2018 belong to this class. Exploitation of any of these vulnerabilities results in full loss of integrity of the attacked system. In the worst case, the compromised system becomes the new base of operations for the attacker and allows him to compromise further systems.

Tara Seals provides a brief outline (2) on ThreatPost of the initial infection routine. For more details see the Checkpoint Research report (3) about SpeakUp.

Lateral movement in Linux-based networks places special challenges on the attacker. In general, vulnerabilities in applications must be used for propagation. SpeakUp uses an impressive arsenal of old vulnerabilities in application frameworks for propagation. Seals writes:

“To spread, SpeakUp’s propagation code exploits known vulnerabilities in six different Linux distributions, including JBoss Enterprise Application Platform security bypass vulnerabilities (CVE-2012-0874); a JBoss Seam Framework remote code execution (RCE) flaw (CVE-2010-1871); a JBoss AS 3/4/5/6 RCE exploit; a Oracle WebLogic wls-wsat Component Deserialization RCE (CVE-2017-10271); a vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (CVE-2018-2894); a Hadoop YARN ResourceManager command-execution exploit; and an Apache ActiveMQ Fileserver File Upload RCE vulnerability (CVE-2016-3088).”

The table below shows some details of the above mentioned vulnerabilities.

CVE

Application Framework

CVSS Base Score

Attack Vector

CVE-2012-0874

JBoss Enterprise Application Platform (EAP)

6.8 (CVSS v2.0)

V:N/AC:M/Au:N/C:P/I:P/A:P (CVSS v2.0)

CVE-2010-1871

JBoss Enterprise Application Platform (EAP)

6.8 (CVSS v2.0)

(AV:N/AC:M/Au:N/C:P/I:P/A:P) (CVSS v2.0)

CVE-2017-10271

Oracle WebLogic Server

7.5 (CVSS v3.0)

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (CVSS v3.0)

CVE-2018-2894

Oracle WebLogic Server

9.8 (CVSS v3.0)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (CVSS v3.0)

CVE-2016-3088

Fileserver web application in Apache ActiveMQ

9.8 (CVSS v3.0)

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (CVSS v3.0)

Any of the listed vulnerabilities enables the attacker to create new operations bases. In the worst case, he can jump across network boundaries, e.g. from the DMZ into the company intranet or from the company intranet into the production network.

How to stop this kind of attacks?

From the tactical point of view, vulnerability management is the key to stop this kind of attacks as early as possible. CVE-2018-20062-class vulnerabilities and remote code or script execution vulnerabilities must be patched directly after they show up on the market. At least in the DMZ and on systems on both sides of network boundaries. This will prevent the attacker from lateral movement.

Vulnerability management relies on asset management. And on CI/CD across the entire application stack because without automated testing it is not possible to make sure that the application is still working after the patches have been applied.

From a strategic point of view, measures must be applied to enlarge the resilience of application systems against cyber attacks. This includes e.g. micro segmentation or Web Application Firewalls but also Linux native enhancements like AppArmor or SELinux.

And this holds for both, cloud and on-premise hosted applications.

Have a great week.


References

1. NIST NVD. NVD – CVE-2018-20062 [Internet]. 2018 [cited 2019 Feb 6]. Available from: https://nvd.nist.gov/vuln/detail/CVE-2018-20062

2. Seals T. SpeakUp Linux Backdoor Sets Up for Major Attack [Internet]. threatpost. 2019 [cited 2019 Feb 6]. Available from: https://threatpost.com/speakup-linux-backdoor/141431/

3. Check Point Research. SpeakUp: A New Undetected Backdoor Linux Trojan [Internet]. Check Point Research. 2019 [cited 2019 Feb 6]. Available from: https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/


 

Advertisements

To patch or not to patch this is not the question – New Remote Code Execution Vulnerability in Drupal CMS

21 October 2018

Lindsey O’Donnell’s report “Two Critical RCE Bugs Patched in Drupal 7 and 8” [1] published yesterday on Threatpost gives website operators every reason to enter panic mode.

The vulnerabilities are not published in the NIST NVD yet, but Drupal released two security advisories [2] [3] with details.

Why panic? In the past 16 years 177 vulnerabilities [4] related to Drupal were published. That sounds like a lot but consider that 1,075,609 websites were powered with Drupal core in October 2018 [5].

Fortunately, only 13 exploits were published since 2002. On 29 March 2018 the remote code execution vulnerability CVE-2018-7600 (Drupalgeddon2) was published. Within 20 days after publication three exploits were available. Thousands of sites were compromised in the aftermath.

CVE-2018-7602 (Drupalgeddon3) was published on 19 July 2018. In this case exploits were available 81 and 86 days before the CVE was published.

Drupal Exploits since 2010

Table: Drupal Exploits since 2010. Click to enlarge.

The table above shows the vulnerabilities with published exploits for the Drupal CMS since 2010. Negative values in column Number of days exploit published after CVE published indicate that the exploit was published before the CVE was published. These are the magic zero-day exploits, the worst-case scenario for website operators because a warning time does not exist.

Except of the green highlighted exploit all exploits were used in the wild, means, they were used in attacks. In addition, except of the green highlighted exploit all CVE were remote code execution or injection vulnerabilities.

For the newly published remote code execution vulnerabilities we can expect

  • that exploits will be published with a probability of about 7% and
  • that if exploits are published, they will be published before or at the day the CVE is published.

With this, website operators must directly patch once they become aware of a new remote code execution vulnerability.

In addition, I would recommend to take additional preventive measures, e.g. to implement a Web Application Firewall or a Host based Intrusion Detection/Prevention System to make the installation more resilient against new vulnerabilities. If the website is operated on Linux it makes sense to activate  AppArmor [6].

Have a great week.


  1. O’Donnell L. Two Critical RCE Bugs Patched in Drupal 7 and 8 [Internet]. Threatpost | The first stop for security news. 2018 [cited 2018 Oct 20]. Available from: https://threatpost.com/two-critical-rce-bugs-patched-in-drupal-7-and-8/138468/
  2. Drupal ST. Drupal Core – Multiple Vulnerabilities – SA-CORE-2018-006 [Internet]. Drupal.org. 2018 [cited 2018 Oct 20]. Available from: https://www.drupal.org/sa-core-2018-006
  3. 3.Drupal ST. Mime Mail – Critical – Remote Code Execution – SA-CONTRIB-2018-068 [Internet]. Drupal.org. 2018 [cited 2018 Oct 20]. Available from: https://www.drupal.org/sa-contrib-2018-068
  4. CVE Details. Drupal Drupal : CVE security vulnerabilities, versions and detailed reports [Internet]. CVE Details. The ultimate security vulnerability datasource. 2018 [cited 2018 Oct 21]. Available from: https://www.cvedetails.com/product/2387/Drupal-Drupal.html?vendor_id=1367 
  5. Drupal.org. Usage statistics for Drupal core | Drupal.org [Internet]. 2018 [cited 2018 Oct 21]. Available from: https://www.drupal.org/project/usage/drupal
  6. theMiddle. AppArmor: Say Goodbye to Remote Command Execution. [Internet]. Secjuice.com. 2018 [cited 2018 Oct 21]. Available from: https://www.secjuice.com/apparmor-say-goodbye-to-remote-command-execution/