FusionAuth Remote Code Execution Vulnerability (CVE-2020-7799) Threat Alert

FusionAuth Remote Code Execution Vulnerability (CVE-2020-7799) Threat Alert

February 14, 2020 | Mina Hao
  1. Vulnerability Description

On January 28, 2019, Beijing time, NVD released a remote command execution vulnerability (CVE-2020-7799) in the Apache Freemarker template in FusionAuth. It is found that an authenticated user can edit email templates (Home > Settings > Email Templates) or themes (Home > Settings > Themes) in FusionAuth to execute arbitrary commands in the underlying operating system by using freemarker.template.utility.Execute in the Apache FreeMarker engine of custom templates.

FusionAuth is a modern open-source access management application that can be integrated with multiple technologies and platforms. You can configure and customize FusionAuth in various ways on the dashboard to provide authentication, authorization, and user management functions for any applications. As FusionAuth uses the Apache FreeMarker template engine and fails to properly sanitize user inputs, an attacker could exploit this vulnerability to impose a serious threat to server security. Currently, the vulnerability’s proof of concept (PoC) has been made publicly available and users should take related precautions as soon as possible.

 

For details of this vulnerability, visit the following link:

https://nvd.nist.gov/vuln/detail/CVE-2020-7799

Scope of Impact

Affected Versions

  • FusionAuth <= 1.10.1

Unaffected Versions

  • FusionAuth >= 1.11

Vulnerability Detection

  • Version Check

Users can check the current FusionAuth version to determine whether this application is vulnerable.

You can view the current FusionAuth version in the lower-left corner of the web-based manager of this application.

If the current version is within the affected scope, the application is potentially at risk.

Mitigation

  • Official Update
    • Fast Update

Users for fast installation can upgrade FusionAuth to the latest version in the following way:

Linux:

Users that install FusionAuth via a compressed package (ZIP) should first access the application’s installation directory to make FusionAuth stop running.

/bin/shutdown.sh

Access the upper-level directory (for example, if the installation directory is /usr/local/fusionauth, access /usr/local/) of the installation directory and run the following command for upgrade:

sh -c “curl -fsSL https://raw.githubusercontent.com/FusionAuth/fusionauth-install/master/install.sh | sh -s – -z”

Navigate to the installation directory and start FusionAuth:

/bin/startup.sh

Users that install FusionAuth via a DEB or RPM package can run the following command for upgrade:

sh -c “curl -fsSL https://raw.githubusercontent.com/FusionAuth/fusionauth-install/master/install.sh | sh”

Start FusionAuth:

sudo service fusionauth-search start

sudo service fusionauth-app start

Windows:

Access the installation directory and make FusionAuth stop running:

net stop FusionAuthApp

net stop FusionAuthSearch

Install the latest version:

iex (new-object net.webclient).downloadstring(‘https://raw.githubusercontent.com/FusionAuth/fusionauth-install/master/install.ps1’)

Start FusionAuth:

\bin\startup.bat

For the detailed upgrade procedure, see the official upgrade document available at the following link:

https://fusionauth.io/docs/v1/tech/installation-guide/fast-path

  • Manual Update

Users for manual installation can upgrade FusionAuth to the latest version in the following way:

Linux:

Access the installation directory, make FusionAuth stop running, and uninstall it:

# Shut down the application:

/bin/shutdown.sh

# Uninstall the application:

rm -rf ./fusionauth-app

rm -rf ./fusionauth-search

rm -rf ./bin

Download the latest application installation packages (V1.14.0) from the following links:

https://storage.googleapis.com/inversoft_products_j098230498/products/fusionauth/1.14.0/fusionauth-app-1.14.0.zip

https://storage.googleapis.com/inversoft_products_j098230498/products/fusionauth/1.14.0/fusionauth-search-1.14.0.zip

Navigate to the installation directory and decompress the installation packages:

unzip -nq new-fusionauth-app.zip

unzip -nq new-fusionauth-search.zip

Start FusionAuth:

/bin/startup.sh

Windows:

Access the installation directory, make FusionAuth stop running, and uninstall it:

# Make the application stop running:

net stop FusionAuthApp

net stop FusionAuthSearch

# Uninstall the application:

cd \fusionauth\fusionauth-app\apache-tomcat\bin

FusionAuthApp.exe /uninstall

cd \fusionauth\fusionauth-search\elasticsearch\bin

FusionAuthSearch.exe /uninstall

# Remove the original installation package:

cd \fusionauth

move fusionauth-app fusionauth-app-old

move fusionauth-search fusionauth-search-old

Download the latest application installation packages (V1.14.0) from the following links:

https://storage.googleapis.com/inversoft_products_j098230498/products/fusionauth/1.14.0/fusionauth-app-1.14.0.zip

https://storage.googleapis.com/inversoft_products_j098230498/products/fusionauth/1.14.0/fusionauth-search-1.14.0.zip

Decompress the preceding compressed packages and install them:

# Install packages:

cd \fusionauth\fusionauth-app\apache-tomcat\bin

FusionAuthApp.exe /install

cd \fusionauth\fusionauth-search\elasticsearch\bin

FusionAuthSearch.exe /install

# Start this application:

net start FusionAuthSearch

net start FusionAuthApp

For the detailed upgrade procedure, see the official upgrade document available at the following link:

https://fusionauth.io/docs/v1/tech/installation-guide/upgrade

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS Information Technology Co., Ltd. (NSFOCUS) was founded in April 2000. Headquartered in Beijing, the company has more than 30 branches and subsidiaries at home and abroad, providing most competitive security products and solutions for government, carrier, financial, energy, Internet, education, and healthcare sectors to ensure customers’ business continuity.

Based on years of research in security assurance, NSFOCUS has set foot in network and terminal security, Internet infrastructure security, and compliance and security management. The company provides the intrusion detection/prevention system, anti-DDoS system, remote security assessment system, and web security protection products as well as professional security services for customers.

NSFOCUS Information Technology Co., Ltd. started trading its shares at China’s Nasdaq-style market, ChiNext, in Shenzhen on January 29, 2014, with the name of NSFOCUS and code of 300369.