New Java Vulnerabilities!

4min read

Attention to all Java users! Yes, we are back with a brand new set of Java vulnerabilities that I know you would like to get some juicy info on. During September 2019, two Java vulnerabilities have been discovered within the Apereo CAS versions before 6.1.0-RC5 and the Apache Tapestry versions between 5.4.0 to 5.4.3. The former open source vulnerability has been given a score of 8.1 whilst the later a higher score of 9.8 in regards to severity. So hurry, read up and don’t waste any time. You could be affected!

  • CVE-2019-10754 Apereo CAS (org.apereo.cas:*) components could allow a remote authenticated malicious user to obtain sensitive information, caused by the use of weak RandomStringUtils PRNG algorithm. 
  • CVE-2019-0195 Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded.

CVE-2019-10754 

Vulnerability Score: 8.1 / HIGH

Platform: Java

Component: org.apereo.cas (Apereo CAS) 

Affected Versions: versions before 6.1.0-RC5

That’s right folks! Java has another vulnerability. Due to multiple classes using Apereo CAS (before the release of 6.1.0-RC5) and making use of apache commons-lang3 RandomStringUtils for token and ID generation, this has made them predictable and resulted in a cryptography weakness.

Apereo CAS is an open well-documented protocol, as well as an open-source Java server component. It provides support for multiple protocols (CAS, SAML, OAuth, OpenID) and is a library for clients such as Java, .NET, PHP, Perl, Apache, uPortal and more! Apereo’s mission is to help educational organizations ‘collaborate to foster, develop, and sustain open technologies and innovation to support learning, teaching and research’.

For example, org.apereo.cas:cas-server-support-simple-mfa is a package that allows Apereo CAS to act as a multifactor authentication provider by itself. This generates tokens and allows them to be sent to end-users via pre-defined communication channels such as email or text message. Please also note that this vulnerability affects multiple components of the Apereo CAS framework. 

So what is the threat? Well, the affected versions of this package are vulnerable to Insecure Randomness, as it relies on apache commons-lang3 RandomStringUtil  which can produce predictable results. So, this could allow an attacker to generate their own unique Ticket ID due to insufficient randomness. In other words, the attacker could guess the encryptionSecret used within GenerateJwtCommand and allow them to impersonate a user. This also means the attacker will have access to sensitive information caused by the use of the weak RandomStringUtils PRNG algorithm. 

Image showing user communicating with the server, and the hacker impersonating the user.

But don’t fret. There is a solution. It has been recommended to upgrade org.apereo.cas to version 6.1.0-RC5 or higher.

Java users, don’t give cyber criminals the chance to access your data. Act fast and upgrade org.apereo.cas! 

CVE-2019-0195

Vulnerability Score: 9.8 / CRITICAL

Platform: Java

Component: org.apache.tapestry (Apache Tapestry)

Affected Versions: versions 5.4.0 to 5.4.3.

We are not done yet folks! We have one more Java vulnerability to inform you guys on. Within the Apache Tapestry versions 5.4.0 to 5.4.3, the manipulating classpath asset file URLs allow an attacker to guess the path of a known file in the classpath and, as a result, download it. This was discovered on the 16/09/19 by Thiago H. de Paula Figueiredo.

The Apache Tapestry is an open-source framework for creating web applications in Java or other JVM languages. It also complements and builds upon standard Java Servlet API and works in any application server. Apache Tapestry has a long history. It has the oldest code, dating all the way back to 2000. This has resulted in many releases; developers now concentrate on Tapestry 5 as opposed to 3 and 4. 

What is tapestry.hmac-passphrase you say? This symbol is used to configure hash-based message authentication of Tapestry data stored in forms, or in the URL. In other words, your application is less secure and therefore more vulnerable to denial-of-service attacks. Especially when this symbol is not configured.

With various techniques, an attacker could guess the path to a known file in the classpath and have it downloaded. If the attacker found the file with the value of the  tapestry.hmac-passphrase configuration symbol, then they could use it to craft a Java deserialization attack, thus running a malicious injected Java code. 

Image showing a hacker guessing a file location, downloading the pass phrase and a computer showing it is has been hacked.

The recommended mitigation for this vulnerability has been suggested to upgrade to Tapestry 5.4.5, which is a drop-in replacement for any 5.4.x version. 

That is it from us…for now! Make sure to spread the word on these critically-rated Java vulnerabilities in order to help the app sec community defend against unwanted exploits. But as you all know, open-source vulnerabilities are discovered daily, so we recommend you regularly scan your code repositories for new known vulnerabilities. Don’t get caught off guard!

Knowing is half the battle. The other half is doing. Let Meterian help your dev team stay in the know and on top of the latest updates to secure your apps continuously.  Sign up here to download the Meterian client today.  You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

New Java Vulnerabilities!

Vulnerability Focus: Remote Code Execution (RCE) Attacks

This week’s edition is all about remote code execution attacks. We have a cross-site scripting (XSS) vulnerability in the ever popular http-file-server which could lead to the execution of arbitrary JavaScript code in an unsuspecting victim’s browser.  On the other hand, we have a RubyGem exposure whose sheer magnitude led to the discovery of a potential cryptocurrency mining scheme. 

  • CVE-2019-15224 A code-execution backdoor in rest-client version 1.6.13 could lead to privilege escalation attacks
  • CVE-2019-5458 A cross-site scripting (XSS) vulnerability in all versions of http-file-server, a third-party Node.JS module

CVE-2019-15224

Vulnerability Score: TBD  (CVSS v3.0)

Platform: Ruby

Component: rest-client

Affected versions: v1.6.10 through v1.6.13

A malicious code-execution backdoor has just been located in version 1.6.13 of rest-client – a popular HTTP and REST (REpresentational State Transfer) client software package for Ruby. In essence, REST is an architectural style that standardizes modes of communication among different computer systems on the web. To delve a bit deeper, RESTful systems are stateless, and they separate concerns from client-side and server-side – the Ruby rest-client oversees requests sent to the server in order to retrieve or modify data stored on the server. 

In this compromised  version, the injected code within the gem would fetch malicious code from pastebin.com and send it to the attacker’s server to retrieve sensitive information from the client’s host machine. Kudos to Jussi Kuljonen for catching this vulnerability and promptly notifying the GitHub community on 19 August 2019.  Aside from that, he also pointed out that rest-client version 1.6.10 leading up to version 1.6.13, which have since been yanked, were also compromised. 

This is an image of how a hacker exploits the Ruby gem rest-client library with remote code execution, in a web application.
Remote Code Execution Exploit of Ruby Gem rest-client library

This is dangerous territory for users of said gem, as third-party attackers could exploit this vulnerability to perform remote code execution for personal gains. This could be in the form of privilege escalation attacks, whereby attackers could execute malicious code on the host’s server to access credentials of services used by a hosting site (i.e. database, payment service provider).

It should be noted this 1.6.13  version is considerably dated, as the latest rest-client version is 2.1.0.rc1. This raised suspicions among the DevOps community that this incident might have been a targeted attack.

This discovery then instigated a wider instigation which revealed that the same code was found in almost a dozen other gems: bitcoin_vanity, blockchain_wallet, omniauth_amazon, cron_parser, coin_base,  lita_coin, awesome-bot, doge-coin, and capistrano-colors. It has been established that the attacker(s) wanted to exploit the infected hosts to covertly mine cryptocurrency. 

In terms of scope of impact, the rest-client  version 1.6.13, which sparked the uncovering of this malicious plot, has had 1061 downloads. On the other hand, the total download count for all the compromised gems is a little over 3500. Regardless, the chaos ceases here as all affected gems have been removed by the RubyGems team – the compromised accounts of developers have also been locked for good measure.

As for the availability of a fix, version 1.6.14 (identical to the unaffected  v1.6.9) has been released to replace all compromised versions in the legacy 1.6.x series. To check your apps’ depencies, versions <= 1.6.9 or >= 1.6.14 are unaffected. If your version of the rest-client gems falls in between, you are advised to download the patch immediately. Don’t say you haven’t been warned!

CVE-2019-5457, CVE-2019-5458

Vulnerability Score: Medium — 5.4  (CVSS v3.0)

Platform: Node.JS 

Components: http-file-server, min-http-server

Affected versions: All versions

Look alive, all you http-file-server and min-http-server users! A cross-site scripting (XSS) vulnerability has been found in these third-party Node.JS modules. The HTTP File Server (HFS) is a web server used for the publishing and sharing of files. 

By definition, XSS is a type of cybersecurity vulnerability that enables attackers to inject client-side scripts into web pages viewed by unsuspecting users. Implications of XSS vary in range (i.e. petty nuisance to  critical security risk), depending on the nature of the data stored on the vulnerable site’s server and the strength of the security mitigation measures adopted by the site’s network.

In this instance, this cross-site scripting (XSS) vulnerability is the attack vector – it enables hackers with access to the server-file system to inject malicious Javascript-based scripts in the file name, so that these scripts will be automatically executed on the victim’s browser when files are listed. In technical jargon, this is known as improper neutralization of input during web page generation. The occurrence of this XSS vulnerability is due to the unsanitized  and invalid HTML input in the module filenames – it allows any injected and stored scripts within the server to be executed in the client’s browser.

The http-file-server has unfortunately been declared dead, and no known fixes have been made available to HFS users. The good news is that the project has been yanked to prevent further exploits such as hijacking of user sessions or phishing to steal user credentials. Credits to An Nguyen for disclosing these easily exploitable vulnerabilities to the DevSecOps community!

To end things, we will leave you with some helpful tips on cross-site scripting prevention methods. One should check that user input has been sanitized and that potentially executable characters have been properly encoded to avoid having them interpreted as executable code. It is also worth validating input as it stops users from adding special characters into webpage data entry fields by refusing the request – this mitigates the impact should an attacker discover such an XSS vulnerability.  We suggest you bookmark this useful resource: Cross Site Scripting Prevention Cheat Sheet, too!  

Found this useful? Sign up here to download the Meterian client today. You’ll get an instant analysis of your first project for free.  See the risks immediately and know which components to remove or upgrade to secure your app.

Vulnerability Focus: Remote Code Execution (RCE) Attacks

Time to update your boots!

Bootstrap v4.3.1 and v3.4.1 are out and available to patch an XSS vulnerability, CVE-2019-8331. For any users of the legacy 3.3.7, this will fix also other three XSS issues, namely CVE-2018-14040CVE-2018-14041 and CVE-2018-14042. Bootstrap now include a JavaScript sanitizer that will only allow whitelisted HTML elements in the data attribute of an element.

It’s available through all the channels: as NPM package, via CDNs and for old fashioned guys also as a direct download from Github. You do not have any excuses now, please upgrade!

 

Time to update your boots!