noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

CTS - Chicago Transit Authority

Updated Dates Parking Lane and Sidewalk Closure for W. Newport Avenue[...]
The United States Army

NY National Guard Soldiers and Airmen return from hurricane response[...]
The United States Army

Pennsylvania National Guard Rehearses Air Medevac

Technology

SonicWALL Inc.

10/18/2024 | Press release | Distributed by Public on 10/19/2024 02:13

Code Injection in Spring Cloud: CVE 2024 37084

Overview

The SonicWall Capture Labs threat research team became aware of the threat CVE-2024-37084, assessed its impact, and developed mitigation measures for this vulnerability.

CVE-2024-37084 is a critical vulnerability affecting Spring Cloud Data Flow versions 2.11.0 through 2.11.3. A malicious user with access to the Skipper server API can exploit a flaw in the upload request process, allowing them to write arbitrary files to any location on the server's file system, potentially compromising the server. This vulnerability is assigned a CVSS score of 9.8 by VMware, indicating its critical nature. The flaw is associated with CWE-94, indicating improper control of code generation, which increases the risk of exploitation. Users of affected versions are strongly advised to upgrade to version 2.11.4 to mitigate this vulnerability. For more details, refer to the official advisory at Spring.io.

Technical Overview

[Link]

Figure 1: Upload Method

The vulnerability is triggered when the Skipper server processes HTTP POST requests to its REST API on port 7577. The upload() method (Figure 1) handles package uploads by accepting a JSON object containing the packageFileAsBytes key, which holds a Base64-encoded ZIP file. Once uploaded, the ZIP file is unpacked, and the server deserializes a package.yaml file, which contains metadata about the package. The issue arises because the contents of the YAML file are processed without adequate validation. This allows attackers to embed harmful Java class constructors directly within the YAML structure, enabling arbitrary code execution by deserializing classes like javax.script.ScriptEngineManager which are commonly used for remote code execution.

A critical security flaw in Spring Cloud Skipper arises from the improper deserialization of YAML files using the standard YAML constructor. The root cause lies in the constructor's failure to restrict the types of objects being created during the deserialization process, allowing attackers to provide malicious YAML data that could lead to remote code execution (RCE). This flaw is particularly dangerous because it enables attackers to craft specific YAML content that forces the application to instantiate arbitrary Java classes, bypassing security controls and executing harmful code.

The package.yaml file plays a central role in the exploitation, as it is deserialized using the SnakeYAML library's yaml.load() method (Figure 2). The library allows special syntax like !!, which permits the deserialization of any Java class constructor present in the YAML file. Without restrictions on what can be deserialized, attackers can execute untrusted code.

[Link]

Figure 2: yaml.load

Triggering the Vulnerability

To trigger the CVE-2024-37084 vulnerability, an attacker crafts a malicious YAML file containing specific Java class constructors that enable the deserialization of arbitrary objects. This file is then embedded within a ZIP file and sent to the Spring Cloud Skipper server via an HTTP POST request targeting the REST API. The ZIP file must contain a package.yaml file, which is unpacked and processed by the vulnerable yaml.load() method (Figure 2). Once deserialized, the malicious code is executed, granting the attacker remote control over the system and enabling arbitrary code execution.

Craft a Malicious YAML File: Create a YAML file with specific Java class constructors like !!javax.script.ScriptEngineManager to exploit deserialization.
Send a Malicious HTTP POST Request: Upload the crafted YAML through an HTTP POST request to the Skipper server's REST API.
ZIP File Structure: Ensure the ZIP file contains a package.yaml file with the malicious content for deserialization.
Execute Arbitrary Code: Upon processing the package.yaml, arbitrary code execution is triggered, allowing control over the system.

Exploitation

Exploitation of CVE-2024-37084 involves not only triggering the vulnerability but carefully executing a series of steps to manipulate the behavior of the Spring Cloud Skipper server. Once the attacker crafts a malicious YAML payload, they embed it within a package.yaml file and package it in a ZIP file. To evade detection by IPS/IDS systems and web application firewalls, the payload is often Base64-encoded or converted into a byte array before being sent. The attacker targets the vulnerable /api/package/upload endpoint using an HTTP POST request (Figure 3) with a carefully formatted UploadRequest JSON object to ensure the server processes the payload without raising validation errors.

[Link]

Figure 3: Post Request

Once the server receives and unpacks the ZIP file, it deserializes the YAML using the insecure yaml.load() method. If the YAML contains malicious code, such as references to external resources or a remote JAR file, the server will execute this code, leading to remote code execution (RCE). For instance, the attacker may use classes like javax.script.ScriptEngineManager to execute arbitrary code or java.net.URLClassLoader to load external libraries from a controlled server. Instructions for creating a malicious JAR file, which can be used to execute arbitrary code on the target server, are available here. The attacker can compile their Java code and host the JAR file on a web server, allowing the Spring Cloud Skipper server to retrieve and execute it upon deserialization. Monitoring server behavior, such as HTTP GET requests to the malicious resource, confirms the presence and exploitation of the vulnerability.

SonicWall Protections

To ensure SonicWall customers are prepared for any exploitation that may occur due to this vulnerability, the following signatures have been released:

IPS: 20414 Spring Cloud Data Flow Insecure Deserialization 1
IPS: 20415 Spring Cloud Data Flow Insecure Deserialization 2
IPS: 20416 Spring Cloud Data Flow Insecure Deserialization 3

Remediation Recommendations

The risks posed by this vulnerability can be mitigated or eliminated by:

Restricting API Access: Limit API access to only trusted users or systems.
Utilizing Up-to-Date IPS Signatures: Keep IPS signatures updated to block known threats.
Limiting Access to Critical Systems: Only allow trusted users access to key systems.
Regularly Updating and Patching Systems: Ensure all systems are regularly updated and patched.

Relevant Links

Spring Security Advisory

National Vulnerability Database (NVD)

Common Vulnerability Scoring System Calculation

CWE-94: Improper Control of Generation of Code ('Code Injection')

Spring Cloud Data Flow

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.

Sharing and Personal Tools

Please select the service you want to use:

Back

View original format