forked from nccgroup/Threat-Intelligence-Alerts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Threat Intelligence Alert 31.03.2022 - Spring Core RCE aka Spring4Shell.txt
74 lines (46 loc) · 5.82 KB
/
Threat Intelligence Alert 31.03.2022 - Spring Core RCE aka Spring4Shell.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
Threat Intelligence Alert 31.03.22 - Spring Core RCE aka Spring4Shell (Updated 04/04/2022)
We are issuing this advisory to all customers to ensure awareness and advise that required mitigation actions are carried out where necessary.
On March 29th, 2022, a set of Tweets (now deleted) were published from a Chinese Twitter account showing screenshots of a new POC 0-day exploit in the popular Java library Spring Core.
Updated Details
Upon the initial release of this alert, a CVE had not yet been assigned but has since been tracked as CVE-2022-22965 as of the 31st of March, though a CVSS score is still pending. Alongside the Spring4Shell vulnerability was CVE-2022-22963 existing in Spring Cloud that can potentially grant access to system resources. While initially fears arose that CVE-2022-22963 would expose a variety of commonly used applications, the attack surface appears to be much smaller than initially reported in public media.
Key Details (Updated 04/04/2022)
CVE-2022-22965 (Spring4Shell) and CVE-2022-22963 (Separate RCE Vulnerability)
Disclosure Date – 29th March 2022
CVSS Score – Unknown
Affected Products – Spring Core (Framework for building modern Java-based enterprise applications)
As of 04-04, no off-the-shelf applications making use of SpringCore have been identified as vulnerable.
Exploit Released – Yes
Patch Available – Yes (Spring Cloud Function versions 3.1.7 and 3.2.3 to address CVE-2022-22963) and (Spring Framework versions 5.3.18 and 5.2.20 to address CVE-2022-22965). Vulnerable applications making use of the framework have to be updated by the maintainers of said applications.
Summary (Updated 04/04/2022)
The spring framework is an open-source framework that offers default converters for building or simplifying enterprise Java Applications. This vulnerability is found in the JDK version of Spring Core Framework and makes it vulnerable for executing code remotely due to a bypass for CVE-2010-1622. It is confirmed that this vulnerability leverages class injection as compared to a separate, recently released, Spring Cloud Function vulnerability (CVE-2022-22964).
Spring4Shell is a Remote Code Execution (RCE) vulnerability. Twitter users have taken to calling this vulnerability Spring4Shell due to its similarity to the Log4Shell zero-day vulnerability. This name also helps to distinguish Spring4Shell from other Spring RCE vulnerabilities such as the Spring Cloud Function library.
A vulnerable application has been publicly shared to help researchers determine if payloads being tested will successfully exploit the vulnerability. This vulnerable application can be found at: https://github.com/lunasec-io/spring-rce-vulnerable-app
The following GitHub page has details of the POC code
https://github.com/craig/SpringCore0day
The prerequisites:
– Uses Spring Beans
– Uses Spring Parameter Binding
– Spring Parameter Binding must be configured to use a non-basic parameter type, such as POJOs.
Based on these demonstrations of vulnerable applications and the approach towards exploiting them, the conditions to be vulnerable appear quite specific and as of now do not seem to be widespread in Java applications.
Detection (Updated 04/04/2022)
The vulnerability only affects the JDK versions 9+ where Spring Core is in use. To determine the version of the JDK that is running in an environment, the following command can be run in a terminal:
javac –version
All released versions of the Spring Core module are currently vulnerable. One method of determining if the Spring Core module is in use in an environment is to use the Maven dependency plugin and to run:
mvn dependency: tree
Cyber security researcher Florian Roth of Nextron Systems has developed Yara rules that, if used, may determine if a successful exploitation of the vulnerability has taken place. These rules are available at signature-base/expl_spring4shell.yar at master · Neo23x0/signature-base (github.com).
NCC Group has made several signatures for the detection of exploitation of CVE-2022-22965. More details can be found in the ‘NCC Group Actions’ section of this document.
Mitigation (Updated 04/04/2022)
Spring have released the below patches as of the 31st March that we suggest affected users administer as soon as possible:
Spring have released new Spring Cloud Function versions (3.1.7 and 3.2.3) to address CVE-2022-22963 and new Spring Framework versions (5.3.18 and 5.2.20) to address CVE-2022-22965 or “Spring4Shell.”
Details on the implementation of these patches, as well as further instructions to assess whether an application is vulnerable or not, have been documented on the official Spring Core blog: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
NCC Group Actions (Updated 04/04/2022)
NCC Group has developed coverage to detect exploitation attempts and distinguish exploitation attempts on whether they succeeded or not. This coverage has been developed for network monitoring and endpoint monitoring services. We are actively monitoring the exploitation attempts to hunt for post-exploitation IOCs and developments in targeting of the attacks.
Efforts are ongoing to create addition detections for our SIEM products that focus on post-exploitation activity, such as utilisation of webshells by attackers for reconnaissance and discovery.
Sources
https://www.praetorian.com/blog/spring-core-jdk9-rce/
https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/#exploit-scenario-overview
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21964
https://twitter.com/bytehx343/status/1509034539330732033
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
https://www.cisa.gov/uscert/ncas/current-activity/2022/04/01/spring-releases-security-updates-addressing-spring4shell-and
https://community.riskiq.com/article/8e5d7193