WebLogic WLS Component IIOP Protocol Remote Code Execution Vulnerability (CVE-2020-2551) Threat Alert

WebLogic WLS Component IIOP Protocol Remote Code Execution Vulnerability (CVE-2020-2551) Threat Alert

February 12, 2020 | Mina Hao
oracle
  1. Overview

Oracle released Critical Patch Update (CPU) for January 2020, announcing a remote code execution vulnerability (CVE-2020-2551) in the Internet Inter-ORB Protocol (IIOP) used by the WLA component in WebLogic.

This vulnerability exists in the core component of the WebLogic Server and can be triggered when the WebLogic Server is at default settings without administrative authentication and extra interaction, exerting an extensive impact.

Via IIOP, an attacker could access the remote interface of the WebLogic Server to deliver malicious data, in a bid to gain server privileges and execute arbitrary code remotely without authorization. Oracle assigns a CVSS score of 9.8 to this vulnerability.

The IIOP protocol is used to access remote objects as a Java interface. By default, it is enabled.

For details about the Oracle CPU, please visit the following link:

https://www.oracle.com/security-alerts/cpujan2020.html

  1. Affected Versions

The following versions are affected by the CVE-2020-2551 vulnerability:

  • Oracle Weblogic Server 10.3.6.0.0 (official patch to be released on January 31)
  • Oracle Weblogic Server 12.1.3.0.0 (official patch to be released on January 31)
  • Oracle Weblogic Server 12.2.1.3.0 (official patch is available)
  • Oracle Weblogic Server 12.2.1.4.0 (official patch is available)
  1. Check for the Vulnerability

3.1 Local Check

You can use the following commands to check the WebLogic version and whether the patch is installed.

$ cd /Oracle/Middleware/wlserver_10.3/server/lib

$ java -cp weblogic.jar weblogic.version

If no patch installation information is shown in the execution result, your WebLogic sever is vulnerable.

  1. Technical Solutions

4.1 Official Fix

In the Oracle CPU for January 2020, Oracle released patches for WebLogic Server 12.2.1.3 and 12.2.1.4. Affected users are advised to download and apply the corresponding patch  as soon as possible.

Patches for WebLogic Server 10.3.6.0.0 and 12.1.3.0.0 will be released on January 31, 2020. Users are advised to check Oracle’s official security bulletins from time to time to get the related patch as soon as possible. Before patches are available, users should use the workaround described in section 4.2.

Note: Official patches of Oracle can be downloaded only by those with a licensed account of the software. Such users can use that account to log in to https://support.oracle.com to obtain the latest patch.

4.2 Workaround

The risk of this vulnerability can be mitigated by disabling the IIOP protocol. To disable the IIOP protocol, follow these steps:

Access the administration console of WebLogic Server. Choose Service > AdminServer > Protocol, deselect Enable IIOP, and restart the WebLogic Server to make the setting take effect.

  • NSFOCUS’s Recommendations

4.3.1 Detection Services and Products from NSFOCUS

You can use NSFOCUS RSAS V6, NIPS, and UTS to check for the vulnerability in internal assets:

  • Remote Security Assessment System (RSAS V6) plug-ins:

http://update.nsfocus.com/update/listRsasDetail/v/vulsys

  • NSFOCUS Intrusion Detection System (NIDS)

http://update.nsfocus.com/update/listIds

  • Unified Threat Sensor (UTS)

http://update.nsfocus.com/update/listBsaUtsDetail/v/rule2.0.0

You can download upgrade packages from the following links to upgrade these devices to the latest version for vulnerability detection.

4.3.2 Protection Products from NSFOCUS

  • NSFOCUS Network Intrusion Prevention System (NIPS)

http://update.nsfocus.com/update/listIps

You can download upgrade packages from the following links to upgrade these devices to the latest version for vulnerability protection.

4.3.3 Upgrade Package/Rule Base Versions of Detection and Protection Products

Detection Product Upgrade Package/Rule Base Version
RSAS V6 System Plug-in Package V6.0R02F01.1704
NIDS V5.6.8.815, V5.6.9.21797, and V5.6.10.21797
UTS V5.6.10.21797
  • RSAS V6 system plug-in package:

http://update.nsfocus.com/update/downloads/id/101679

  • NIDS upgrade package:

V5.6.8.815

http://update.nsfocus.com/update/downloads/id/101674

V5.6.9.21797

http://update.nsfocus.com/update/downloads/id/101703

V5.6.10.21797

http://update.nsfocus.com/update/downloads/id/101704

  • UTS upgrade package:

http://update.nsfocus.com/update/downloads/id/101731

 

Protection Product Upgrade Package/Rule Base Version Rule ID
NIPS V5.6.8.815, V5.6.9.21797, and V5.6.10.21797 24671
  • NIPS upgrade package:

V5.6.8.815

http://update.nsfocus.com/update/downloads/id/101674

V5.6.9.21797

http://update.nsfocus.com/update/downloads/id/101703

V5.6.10.21797

http://update.nsfocus.com/update/downloads/id/101704

  1. Technical Analysis

Currently, Oracle only provides patches for certain versions of the WebLogic server to fix the CVE-2020-2551 vulnerability. According to the Oracle bullitin, patches for other versions will not be published until January 31.

Following is the brief description of this vulnerability:

When the IIOP protocol is enabled (enabled by default) on WebLogic server which requires no administrator authentication and extra interaction, an attacker could exploit this vulnerability to take over the server and obtain sensitive information through remote code execution.

  1. Appendix A: Product Use Guides

    • Emergency Response Guides Provided by TRG

6.1.1 NSFOCUS Threat Situation Awareness Platform (TSA)

TSA – V2.0R00F02 (importing a rule upgrade package)

(1) Access BSA and then select Rule Engine, as shown in the following figure.

(2) Choose Upgrade.

(3) Click Choose File, select tsa_rule.2.1.7.203307.dat, click Import, and then click OK.

(4) Check the upgrade result in the upgrade record area.

For any problems during the upgrade, please contact us at 400-818-6868.

TSA – other versions (custom rules)

(1) Access BSA and then select Rule Engine.

(2) Click Create Rule.

(3) Configure intrusion protection rules as follows:

  • Mode: Expert
  • Category: Network intrusion
  • SQL:

select sip, dip, sum(last_times) as atk_count, sip, dip, min(timestamp) as start_time, max(timestamp) as end_time, concat_agg(related_id_list) as related_id_list

from internal_app_bsaips.ipslog

where rule_id = 24671

group by sip, dip

(4) Click Next and then set parameters as follows on the Attribute Configuration page:

  • Name: WebLogic WLS Component IIOP Protocol Remote Code Execution Vulnerability Attack
  • Risk Level: Medium
  • Phase: Exploitation
  • Timeout: 1800 (default)
  • Duration: 3600 (default)
  • Merged Attribute: sip, dip
  • Event Type: System intrusion – exploit
  • Description: This vulnerability could be exploited to bypass the latest security update issued by Oracle in October 2019. Via IIOP, an attacker could access the remote interface of the WebLogic Server to deliver malicious data, in a bid to gain server privileges and execute arbitrary code remotely without authorization.
  • Suggestion: Currently, Oracle’s this CPU contains patches only for WebLogic Server V12.2.1.4.0 and those for other versions will be released on January 31. Users are advised to check Oracle’s official security bulletins from time to time to get the related patch as soon as possible. <0
  • }}Mitigation: The risk of this vulnerability can be mitigated by disabling the IIOP protocol. To disable the IIOP protocol, follow these steps: Access the administration console of WebLogic Server. Choose Service > AdminServer > Protocol, deselect Enable IIOP, and restart WebLogic items to make the setting take effect.

(5) Click Complete to complete configuration of the website security rule.

(6) Enable the rule in the rule list.

  • NSFOCUS Enterprise Security Platform (ESP)

(1) Log in to ESP/ESP-H.

(2) Choose Security Analysis > Event Rules.

(3) Click Import Rule (*.dat). For the ESP-H F07 series, import the rule package ESP-EVENTRULE-001-20200116.dat.For ESP or ESP-H F06 series, import the rule package ESP-EVENTRULE-002-20200116.dat.

For any problems during the upgrade, please contact us at 400-818-6868.

6.1.2 NSFOCUS Threat Analysis and Management Platform (TAM, New Version)

Update the rule for protection against the WebLogic vulnerability exploit attempt. The procedure is as follows:

(1) Access TAM.

(2) Choose Scenario Management > Scenario Configuration and click Upload in the upper-right corner of the page to upload tam_rule.2.0.7.202109.dat.

If the upload succeeds, a message is displayed next to Upload to indicate the upload success.

For other versions, you are advised to upgrade it to TAM V2.0R00F00SP07.

6.1.3 NSFOCUS Intelligent Security Operation Platform (ISOP)

(1) Log in to NSFOCUS ISOP and install the rule upgrade package to attack_rule.1.0.0.0.203289.

(2) Click System Update.

(2) Click Unified Rule Package Update, select the rule upgrade package attack_rule.1.0.0.0.203289, and click Update after the package is uploaded.

Upgrade package download link:

http://update.nsfocus.com/update/listisopdetail/v/V3.0R01F00NG

  • Scanning Configuration on RSAS

To use RSAS to scan for this vulnerability, users should download the latest plug-in version.

For example, you can download the rule package for RSAS V6.0 from the following link:

http://update.nsfocus.com/update/listRsasDetail/v/vulsys

On RSAS, choose Services > System Upgrade, and click Select File in the Manual Upgrade area to select the update file just downloaded.

Click Upgrade.
Wait for the installation to complete. After the update, you can create a custom scanning template to scan the system for this vulnerability.

  • Detection Configuration on UTS

Download the latest rule update of UTS from the following link:

http://update.nsfocus.com/update/listBsaUtsDetail/v/rule2.0.0

On UTS, choose System > System Upgrade > Offline Upgrade and browse to the update file just downloaded and click Upload.

Wait for the installation to complete.

  • Protection Configuration on NIPS

NIPS users can address this vulnerability by updating the rule base. The procedure is as follows:

You can download the latest rule base of NSFOCUS NIPS from our official website. Following is a link to the latest rule base for NSFOCUS NIPS V5.6.10:

http://update.nsfocus.com/update/listNewipsDetail/v/rule5.6.10

On the web-based manager of NSFOCUS NIPS, choose System > System Update > Offline Update and browse to the update file just downloaded and click Upload.

After the update is installed, retrieve rule ID 24671 from the default rule base to view rule details.

Note: After the update is installed, the engine automatically restarts to make it take effect, which does not disconnect any sessions, but may cause the loss of three to five packets during ping operations. Therefore, it is recommended that the update be installed at an appropriate time.

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS Information Technology Co., Ltd. (NSFOCUS) was founded in April 2000. Headquartered in Beijing, the company has more than 30 branches and subsidiaries at home and abroad, providing most competitive security products and solutions for government, carrier, financial, energy, Internet, education, and healthcare sectors to ensure customers’ business continuity.

Based on years of research in security assurance, NSFOCUS has set foot in network and terminal security, Internet infrastructure security, and compliance and security management. The company provides the intrusion detection/prevention system, anti-DDoS system, remote security assessment system, and web security protection products as well as professional security services for customers.

NSFOCUS Information Technology Co., Ltd. started trading its shares at China’s Nasdaq-style market, ChiNext, in Shenzhen on January 29, 2014, with the name of NSFOCUS and code of 300369.