On April 17th local time, Oracle released the critical patch update (CPU) advisory, which contains a fix for the high-risk WebLogic server deserialization vulnerability (CVE-2018-2628), via which attackers can remotely execute arbitrary code in an unauthorized manner.
Reference link:
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Affected Versions
- WebLogic 10.3.6.0
- WebLogic 12.1.3.0
- WebLogic 12.2.1.2
- WebLogic 12.2.1.3
According to data on the NSFOCUS Threat Intelligence center (NTI), as many as 19,229 assets around the world have the WebLogic service publicly accessible from the Internet.
Technical Solutions
Self Check
Run the following commands to check whether the current WebLogic version is affected by this vulnerability:
$ cd /lopt/bea92sp2/weblogic92/server/lib
$java -cp weblogic.jar weblogic.version
Then check whether port 7001 (default port of WebLogic) is publicly accessible.
Official Fix
Oracle has fixed this vulnerability in the CPU released in April. Users are advised to download the latest update as soon as possible.
Reference link: http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
Note: Official patches of Oracle can be downloaded only by those with a licensed account of the software. Such users can use that account to log in to https://support.oracle.com to obtain the latest patch.
Workaround
To exploit the CVE-2018-2628 vulnerability, the first step is to establish a socket connection with the T3 service available on the service port of WebLogic Server. Therefore, the attack can be blocked by controlling access to the T3 protocol. WebLogic Server provides a default connection filter called weblogic.security.net.ConnectionFilterImpl. This filter accepts all inbound connections. It is advisable to configure a rule through this filter to control access to T3 and T3S protocols.
- Access the administration console of WebLogic Server. Click base_domain in the left pane and then click the Security and Filter tabs successively to open the filter configuration page.
- Type weblogic.security.net.ConnectionFilterImpl in the Connection Filter field and * * 7001 deny t3 t3s in the Connection Filter Rules field.
- Click Save. Then this rule takes effect immediately without needing a restart.
Connection filter rules should be provided in the format of “target localAddress localPort action protocols”, where
|
NSFOCUS’s Recommendations
Use NSFOCUS’s detection products or services to detect the vulnerability:
- For Internet-facing assets, use the emergency vulnerability detection service of NSFOCUS Cloud to check for the vulnerability online. The service is available at the following link: https://cloud.nsfocus.com/#/krosa/views/initcdr/productandservice?page_id=12
- For internal assets, use NSFOCUS IDS, RSAS V6, and WVSS to check for the vulnerability:
- Network Intrusion Detection System (NIDS): http://update.nsfocus.com/update/listIds
- Remote Security Assessment System (RSAS V6): http://update.nsfocus.com/update/listRsasDetail/v/vulweb
- Web Vulnerability Scanning System (WVSS): http://update.nsfocus.com/update/listWvssDetail/v/6/t/plg
You should upgrade your devices to the latest version by downloading upgrade packages from the preceding links before using them to detect vulnerabilities.
Use NSFOCUS’s protection product (NIPS or NF) to protect against the vulnerability:
- Network Intrusion Prevention System (NIPS): http://update.nsfocus.com/update/listIps
- Next-Generation Firewall (NF): http://update.nsfocus.com/update/listNf
You should upgrade your devices to the latest version by downloading upgrade packages from the preceding links before using them for protection.
Identification of Affected Internet Assets
NTI provides the function of querying network assets publicly accessible from the Internet. Enterprise users can use NTI to query which ports on their assets are opened, thereby finding out whether any assets are affected by this vulnerability.
NTI also provides the Internet asset audit service, enabling enterprise customers to learn the security of and changes in their assets in a timely manner. For details about the service, please contact NTI@nsfocus.com.
Technical Analysis
The T3 service decapsulates the object structure. Through successive readObject operations, it finally reaches port 1099 of the server involved in the second step and requests the malicious code.
The calculator then pops up.
WebLogic has blacklisted all PoC vulnerabilities exposed on the Internet. However, this blacklist can be bypassed through manual intervention. Let’s see how resolveProxyClass in InboundMsgAbbrev is implemented. This class is responsible for handling RMI interfaces, but it only adds java.rmi.registry.Registry to the blacklist. Therefore, attackers can easily bypass the blacklist by using other RMI interfaces.
protected Class<?> resolveProxyClass(String[] interfaces) throws IOException, ClassNotFoundException {
String[] arr$ = interfaces; int len$ = interfaces.length;
for(int i$ = 0; i$ < len$; ++i$) { String intf = arr$[i$]; if(intf.equals(“java.rmi.registry.Registry”)) { throw new InvalidObjectException(“Unauthorized proxy deserialization”); } }
return super.resolveProxyClass(interfaces); } |