Security researchers warn that a patch recently released by Oracle for a critical vulnerability in its WebLogic Java application server can easily be bypassed. The risk of exploitation is high especially since exploit code is already available for the flaw.
The vulnerability, tracked as CVE-2018-2628, was addressed by Oracle in April and affects the WLS Core Components of WebLogic, which is used by many Oracle business applications. The flaw is rated 9.8 out of 10 on the CVSS criticality scale and can be exploited remotely.
Following the patch, details of the vulnerability were published online and someone built a proof-of-concept exploit that was later weaponized. Then last week, researchers from security firm GreyNoise Intelligence reported seeing a spike in scans on TCP port 7001, which is used by WebLogic.
Initially, GreyNoise suspected these scans might be part of a reconnaissance effort in preparation for exploitation of CVE-2018-2628 and later even spotted what they believed to be “opportunistic exploitation” of the vulnerability. However, after more tests the company revised its assessment, saying that the observed exploitation attempts were for an older WebLogic vulnerability, namely CVE-2017-10271.
Like the new CVE-2018-2628, that old vulnerability is a Java deserialization issue and was used earlier this year to install cryptocurrency miners on servers.
Serialization is an operation that involves converting data into a binary format for transmission over the wire, while deserialization is the reverse. Parsing data from untrusted sources, which deserialization is, has traditionally been a common source of vulnerabilities in all types of programs, so it’s no wonder that deserialization flaws commonly pop up in Java applications.
However, the problem with CVE-2018-2628 is that, according to some reports, Oracle didn’t do a very thorough job with the patch. A security researcher who uses the Twitter handle pyn3rd noticed that Oracle used a blacklist-approach to prevent exploitation, but missed a command that can also be used to trigger the bug. This means the flaw now has zero-day status.
This was confirmed by security researcher Kevin Beaumont, who noted that “Oracle isn’t even fixing the issues here, they’re just blacklisting commands.” He recommended that users block traffic on port 7001 TCP “inbound to your Fusion stack boxes.”
PDF Files Can Leak NTLM Credentials
Earlier this month, researchers from Carnegie Mellon University showed how the Object Linking and Embedding (OLE) functionality in the Rich Text Format (RTF) can be abused to leak users’ Windows password hashes to remote servers when emails are viewed in Microsoft Outlook. Now, researchers from Check Point Software Technologies warn that the same thing can be achieved by attackers through PDF files.
The Outlook exploit used to work because when rendering RTF-formatted emails, the client would automatically attempt to load remotely hosted OLE objects over the Server Message Block (SMB) protocol. When this happens, Windows automatically sends a hash of the user’s password for authentication—also known as an NTLM hash—which the attacker can then attempt to crack using brute-force methods.
The issue also can be exploited through Word documents, so Microsoft released a patch for the issue this month that changes the way Office applications handle OLE objects.
The Check Point researchers now point out that PDF files can also embed remote objects that can trigger SMB connections, having the same effect of leaking NTLM hashes.
“From the target’s perspective there is no evidence or any security alert of the attacker’s activity, which makes it impossible to notice abnormal behavior,” they said in a blog post. “Our investigation lead us to conclude that all Windows PDF-viewers are vulnerable to this security flaw and will reveal the NTLM credentials.”
Microsoft has added an optional mitigation to Windows 10 and Windows Server 2016 that allows administrators to disable NTLM Single Sign-On (SSO) authentication for public or unspecified resources.
“Customers need to configure a Network Isolation Policy (NIP) that defines which networks should be considered internal/enterprise and thus will permit NTLM as an SSO Authentication method,” the company said in its advisory.