Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/21/2013
06:07 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Who's The Boss Over Your JBoss Servers?

If you haven't patched a 2011 vulnerability found in more than 21,000 servers connected online, then the answer could be the person who installed a crimeware webshell

A widely unpatched vulnerability in JBoss Application Server (AS) discovered back in 2011 is opening up tens of thousands of enterprise data center servers to attack, with at least 500 actively compromised, according to a report out this week by Imperva. The analysis done by Imperva's security research team suggests that enterprises are not hardening their servers adequately and as a result are putting their entire data center operations at risk.

"The attackers are looking to circumvent methods that are supposed to be hardened because they expect vendors not to do a good job hardening their administrative access or functions," says Barry Shteiman, director of security strategy for Imperva. "Because of that, attackers are using that to inject standard or classic forms of attack -- in this case, a webshell -- which generally allows them full control over the server."

In this instance, Shteiman and his team noticed the attack trend after seeing a surge of attacks in online systems that demonstrated features they hadn't commonly seen before. Looking into it further, the team found the attacks all shared a distinct commonality: They were all suffered by JBoss servers.

"When we looked into it, we found that JBoss has a component called HTTPInvoker, and that component was found vulnerable, similarly to some other vulnerabilities we looked into recently that basically allowed an administrative function to be accessed without actually being an administrator logged in," Shteiman says. "In this case, it's a function that is supposed to populate new servlets or new pieces of code in the server. In a default state, JBoss allows that function to be used by anyone that wants it."

[How do you know if you've been breached? See Top 15 Indicators of Compromise.]

Attackers leveraged that hole to inject a webshell on vulnerable servers and achieve "full control over the data center," says Shteiman. He says that his research has shown there are likely around 500 JBoss servers currently compromised at the moment, by anywhere between 15 to 17 flavors of webshells. Among those, the most popular are a webshell called pwn.jsp that was demonstrated in an exploit published last month, along with a more slick crimeware webshell called JspSpy.

As Shteiman explains, JBoss AS is the de facto server platform for enterprises writing applications in Java.

"A lot of trading companies and banks are using it to hold up their main banking applications," says Shteiman. Even more frightening is its popularity among technology vendors that use it as a component for enterprise products and who could potentially be compromised before even shipping, essentially sending out products with built-in backdoors, he says.

The vulnerability in question was actually found in 2011 by Luca Carettoni, at the time a senior security consultant for Matasano Security, who then reported about 7,000 servers online susceptible to the vulnerability. Since then, rather than declining, the number of vulnerable servers has tripled, says Shteiman, who believes that part of the problem was a misclassification in the CVE database.

"It was classified as a vulnerability that affected product elements of HP ProCurve, and therefore I don't think anyone ever understood the research to its full effect," he says.

Nevertheless, security experts say this is something that should have been caught by more organizations, given the age of the vulnerability discovery.

"When the solution to this JBoss exploit is to simply update the affected servers, there is hardly any excuse for anyone to be affected by it, especially when the vulnerability has been discovered more than two years ago," says Michael Yuen, security engineer at application security firm Cenzic.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9351
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. If an unauthenticated attacker makes a POST request to /tools/developerConsoleOperations.jsp or /isomorphic/IDACall with malformed XML data in the _transaction parameter, the server replies with a verbose error showing where the application resides (the a...
CVE-2020-9352
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the _transaction parameter.
CVE-2020-9353
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) loadFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL is affected by unauthenticated Local File Inclusion via directory-traversal sequences in the elem XML ...
CVE-2020-9354
PUBLISHED: 2020-02-23
An issue was discovered in SmartClient 12.0. The Remote Procedure Call (RPC) saveFile provided by the console functionality on the /tools/developerConsoleOperations.jsp (or /isomorphic/IDACall) URL allows an unauthenticated attacker to overwrite files via vectors involving an XML comment and /.. pat...
CVE-2020-9355
PUBLISHED: 2020-02-23
danfruehauf NetworkManager-ssh before 1.2.11 allows privilege escalation because extra options are mishandled.