Oracle WebLogic Console JNDI Injection (CVE-2021-2109)
Recently, a new critical update advisory was published by Oracle. One of the advisories is a fix for CVE-2021-2109 which affects WebLogic servers. The vulnerability allows an authenticated user to abuse “JndiBinding" Handler and trigger a JNDI (Java Naming and Direction Interface) Lookup operation to fetch and deserialize a malicious class from an attacker’s controlled server. Deserialization of the malicious class could result in an arbitrary code execution on the WebLogic server. A day after the patch was released, a POC was published by a researcher from Alibaba Cloud research group who originally reported this vulnerability to Oracle. Usually, remote code execution vulnerabilities in WebLogic servers quickly capture the attention of threat actors who rapidly adopt them as part of their arsenal; integrating them into their operations. The vulnerability can be exploited using a single HTTP Request: Figure 1: Proof of concept HTTP request exploit for CVE-2021-2109 This vulnerability requires the attacker to be authenticated first. To overcome that, it could be combined with the directory traversal method used in the previously published remote code execution in WebLogic console (CVE-2020-14882) which allowed unauthenticated access, while proof of concepts are already available: Figure 2: Proof of concept exploit combining CVE-2021-2109 and CVE-2020-14882 Mitigation with BIG-IP Аdvanced WAF (Attack Signatures and Threat Campaigns) Advanced WAF customers under any supported version could be protected with the newly released attack signature 200104674 (Oracle WebLogic Console JNDI Injection) which could be found under Server-Side Code Injection attack type signatures. Figure 3: Exploit attempt blocked by signature id 200104674 Customers with the Threat Campaigns license subscription could be also protected by newly released “Oracle WebLogic Console JndiBindingHandler RCE” Threat Campaign. Figure 4: Exploit attempt blocked by “Oracle WebLogic Console JndiBindingHandler RCE” Threat Campaign.
Threat Campaigns Targeting Oracle WebLogic Servers (CVE-2020-14882)
Recently a new unauthenticated remote code execution vulnerability was disclosed in Oracle WebLogic server. А path traversal vulnerability in the URL allowed smuggling unauthenticated requests to management portal console, invoking dangerous Java classes which resulted in executing shell commands on the server. Additional information regarding the vulnerability and it’s mitigation with attack signatures is available in our previous article on the matter. As expected, the exploitation simplicity of this vulnerability allowed different threat actors to immediately adopt it in their arsenal. Since the vulnerability was published, F5 Threat Research Team observed at least 5 distinct campaigns, which were also mentioned by the different sources. Following are several of the campaigns and their mitigation with Advanced WAF Threat Campaigns feed. Oracle WebLogic Console Patch Traversal RCE – DarkIRC In the most recent campaign, analyzed in detail by Juniper research team, threat actors leverage this vulnerability to distribute the DarkIRC bot. According to the article this bot is currently being sold on hack forums for $75USD. Figure: Threat Campaign mitigating an attempt to execute a PowerShell command on WebLogic Server Oracle WebLogic Console Path Traversal RCE - Z8qZ In this campaign, following a successful exploitation of the WebLogic server, attackers were executing obfuscated PowerShell spearhead script to drop an agent of the Cobalt Strike exploitation framework, which is a legitimate penetration testing tool, however known also to be used by many notorious APT groups. This campaign was analyzed in details by Suns research team. Figure: List of known APT groups using Cobalt Strike in their attacks (Taken from MITRE ATT&CK) Figure: Threat Campaign mitigating an attempt deploying Cobalt Strike payload on WebLogic Server Oracle WebLogic Console Patch Traversal RCE – PS reverse shell Attackers executing PowerShell commands to create a reverse shell connection to attackers commanding server and will use this channel to issue further shell commands. Figure: Threat Campaign mitigating an attempt deploying PowerShell reverse shell on WebLogic Server Oracle WebLogic Console Patch Traversal RCE – LBBROWSER This campaign is probing for vulnerable WebLogic servers by issuing a “whoami” command in a custom “cmd” header. The way attacker is executing the command is quite interesting. usually the exploit payload is being directly executed, however this time the exploit code strangely takes the payload from the “cmd” header. Figure: Threat Campaign mitigating an attempt executing OS command on WebLogic Server Oracle WebLogic Console Patch Traversal RCE – WSW0 This campaign is probing for vulnerable server by issuing a GET request to a remote server. This campaign is part of a broader operation which targets additional popular systems with publicly available exploits, such as: Oracle WebLogic Console Path Traversal RCE Oracle WebLogic WLS Security Component RCE Plone Zope SAXutils Command Execution JAWS Web Server Remote Code Execution ThinkPHP Remote Code Execution ElasticSearch Search Groovy Sandbox Bypass Figure: Threat Campaign mitigating an attempt to execute “wget” command on WebLogic Server Advanced WAF Threat Campaigns allow customers to detect and mitigate web vulnerabilities which are actively exploited by adversaries, without false positives and with an additional context of the attack.
