Remote Code Execution Deserialization Vulnerability Blocked by Contrast

On May 20, 2020, the National Vulnerability Database (NVD) published a new CVE—CVE-2020-9484. The vulnerability associated with CVE-2020-9484 allows any anonymous attacker with internet access to submit a malicious request to a Tomcat Server that has PersistentManager enabled using FileStore. This is not the default setup, but it can be configured by administrators in this way. Red Timmy Security wrote in detail about the vulnerability and exploit.

The great news is that Contrast Protect customers are protected from this vulnerability being exploited.
CVE-2020-9484 as Untrusted Deserialization

The vulnerability is categorized as untrusted deserialization. MITRE defines untrusted deserialization in CWE-502 as, “The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.” In the case of the Tomcat vulnerability, the PersistentManager uses the notorious bad gadget ObjectInputStream in an attempt to deserialize and read the session information.

The good news is that Contrast Protect blocks attacks against this vulnerability. Specifically, Contrast Protect detects bad gadget chains like ObjectInputStream that are a series of method invocations. In this case, those method invocations are not properly restricted during the deserialization process.

This specific remote code execution (RCE) allows attackers to submit any system commands, which permits the commands to run dynamically on the server side. The associated CVSS 3.1 score is a 9.8 critical. This score does not accurately portray the overall risk of this CVE. Certain actions and configurations are required in order for the vulnerability to be exploited, such as appropriate settings in Tomcat as well as attackers locating a different file upload vulnerability to exploit in order to plant the malicious payload.

That said, when these requirements are met, the vulnerability provides attackers with full control to write and execute system commands dynamically on the back-end Tomcat Server. As a result, Contrast Labs believes that the associated CVSS 2.0 score of 6.8 that places the CVE at a medium risk is more accurate.

What Does the Exploit of CVE-2020-9484 Look Like? 

Thanks to masahiro311 there is a dockerized proof of concept (POC) available in GitHub. The instructions in the README are as follows:

Get the POC and spin up the Docker container:

docker-container-2

Perform the exploit:

perform-exploit

Verify the success of the exploit:

verify-exploit

Confirming the CVE HAS BEEN FIXED

As of the publication of this blog post, all vulnerable versions of Apache Tomcat Server have been patched:

apache-tomcat-server

Anyone with a vulnerable version of Apache Tomcat Server should upgrade to a patched version as soon as possible.

How Does Contrast Protect Block CVE-2020-9484 Attacks? 

Contrast Protect is equipped without configuration to detect and block the Apache Tomcat untrusted deserialization vulnerability. To show how this works, Contrast Labs’ internal security researchers ran the above referenced POC of a vulnerable version of howTomcat in a Docker container and added the Contrast Protect agent by simply modifying the Dockerfile provided to:

how-contrast-blocks-cve-attacks

Readers will want to note the highlighted sections where we added the Contrast agent, as well as its configuration. We then defined the “JAVA_TOOL_OPTIONS” environment parameter to include the Java Contrast agent.

Our researchers started the Tomcat Docker container and ran the exploit per the specifications in the POC:

tomcat-docker-container-specs-POC

 

The output to the curl command was as follows:

output-curl

Readers will notice that it was much different than when the exploit was successful. We highlighted the part that called out when the Contrast agent detected a system command call during deserialization. We then followed the POC steps and confirmed if the “/tmp/rce” file was created and when it was not. Finally, we browsed to the Contrast UI and saw the detected and blocked untrusted deserialization attack:

block-untrusted-deserialization

To enable the block mode on untrusted deserialization, users need to navigate in the Contrast Protect user interface to “Policy Management” -> “Protect Rules” -> “Untrusted Deserialization.” At that point, users need to verify the environment running their Tomcat instance is in “block” mode.

manage-untrusted-deserialization

To learn more about managing Contrast Protect Rules, check out the article in Contrast OpenDocs. And for more details on Contrast Protect, read our solution brief, “Contrast Protect with Runtime Application Self-Protection (RASP).”


*** This is a Security Bloggers Network syndicated blog from Security Influencers Blog authored by David Lindner, Director, Application Security. Read the original post at: https://www.contrastsecurity.com/security-influencers/remote-code-execution-deserialization-vulnerability